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DEPARTMENT OF VETERANS AFFAIRS 
INFORMATION TECHNOLOGY PROGRAM 


THURSDAY, MAY 11, 2000 

U.S. House of Representatives, 
Subcommittee on Oversight and Investigations, 

Committee on Veterans’ Affairs, 

Washington, D.C. 

The subcommittee met, pursuant to notice, at 12:22 p.m., in room 
334, Cannon House Office Building, Hon. Terry Everett (chairman 
of the subcommittee) presiding. 

Present: Representatives Everett and Brown. 

OPENING STATEMENT OF CHAIRMAN EVERETT 

Mr. Everett. Good afternoon. My notes say good morning, but 
obviously we’ve slipped past that by now. 

This hearing will examine Department of Veterans Affairs infor- 
mation and technology, referred to as the IT program. VA’s IT 
budget is $1.2 billion this year, and next year’s proposed budget is 
$1.4 billion. This is the first of two hearings on the VA’s informa- 
tion technology program. We will hear testimony from representa- 
tives of the General Accounting Office, the VA Inspector General’s 
Office, and the VA. 

These evolving IT modernization efforts go back at least to the 
1985 Veterans’ Administration policy to provide better service to 
veterans through modern technology. And here we are 15 years 
later, and what progress has the VA made? And most importantly, 
how has service to the veterans improved? 

Congress has encouraged and provided generous funding for 
modernization efforts, but it has long been doubtful of VA’s pro- 
gram management and a lack of measurable results in delivering 
benefits and services to veterans. We are sure of one thing: The VA 
spent a mountain of money, billions of dollars, on computers and 
software, but other than having a lot of computers and software at 
the VA, the return on investment for taxpayers and veterans is not 
that obvious. The VA does have one clearly successful IT project to 
build on — its Y2K effort. And we’ll do a retrospective on that later 
as well. 

We have a lot to cover. We’re late. We will have additional votes 
this morning, and it’s my intention to move the subcommittee hear- 
ing along as rapidly as possible. And I would ask all the folks testi- 
fying to limit your oral testimony to 5 minutes, and we’ll put your 
complete testimony in the record. 

( 1 ) 
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I’d like to now recognize my friend and ranking member, Corrine 
Brown, for whatever remarks the Congresswoman would like to 
make. 


OPENING STATEMENT OF HON. CORRINE BROWN 

Ms. Brown. Thank you, Mr. Chairman. Information technology 
is complex, rapidly changing, and seems to require ever large in- 
vestments every year. We are attracted, sometimes even blinded, 
by its potential benefits. Unfortunately, at times, information tech- 
nology evolves faster than agency cultures and management 
mindsets are able to adjust. 

This morning we’ll hear from the GAO and the IG telling about 
decades of unfulfilled promises, missed deadlines, and wrong turns 
that have cost the taxpayers millions of dollars. On the positive 
note, they also will report that VA is making limited progress and 
that there is hope for better results if various recommendations are 
followed. 

The VA presentation, as you would expect, will be forward-look- 
ing, telling us about their new organizational structure, planning 
systems, and initiatives. 

On January 1, 2000, VA provided that — with a little oversight in- 
centive from this Subcommittee — it could meet its difficult IT chal- 
lenges successfully. I applaud VA’s year 2000 rollover effort and its 
architect, Harold Gracey. A lot of valuable lessons were learned 
from the VA’s Y2K preparation, and a major byproduct of success 
was program credibility. 

Mr. Chairman, although I am concerned about the broad IT 
issues like information security and integrated architecture, I am 
also encouraged with the positive position of VA’s capital planning 
and investment process. My interest today, however, is in the de- 
tails represented by projects like the data center consolidation and 
VETSNET. Responses to my questions about these details will give 
me a measure of VA’s current institutional culture and the deci- 
sion-making process. 

Today’s hearing is just the first in what promises to be a series 
of hearings extending way beyond the 106th Congress, no matter 
which party is in control. Mr. Chairman, I appreciate the biparti- 
san nature of this committee and the way that we work together, 
and I’m looking forward to this hearing. 

[The prepared statement of Congresswoman Brown appears on p. 
29.] 

Mr. Everett. I appreciate those comments, and we will begin 
now. I’d like to recognize Joel Willemssen, the Director of Civil 
Agencies Information Systems of the GAO, and ask him to please 
introduce his staff. 
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STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, CIVIL 
AGENCIES INFORMATION SYSTEMS, ACCOUNTING AND IN- 
FORMATION MANAGEMENT DIVISION, GENERAL ACCOUNT- 
ING OFFICE; ACCOMPANIED BY HELEN LEW, ASSISTANT DI- 
RECTOR, CIVIL AGENCIES INFORMATION SYSTEMS, AC- 
COUNTING AND INFORMATION MANAGEMENT DIVISION, 
GENERAL ACCOUNTING OFFICE 

Mr. WiLLEMSSEN. Thank you, Mr. Chairman, Ranking Member 
Brown. Thank you for inviting us to testify today. Accompanying 
me is Helen Lew, assistant director. As requested. I’ll summarize 
our statement. 

Since issuing our report in 1998 on the need for VA to implement 
information technology reforms, the department has made 
progress. For example, compared to its fiscal year 1999 investment 
and review process for information technology projects, the fiscal 
year 2001 process provided decision-makers with more detailed in- 
formation on proposed projects such as rates of returns and risks. 

In addition, VA’s in-process reviews are focusing on whether 
projects are meeting cost, schedule, and performance goals. Fur- 
ther, VA has improved its post-implementation reviews of projects 
by starting to compare actual versus estimated costs, schedules, 
and benefits, and by beginning to identify lessons learned that can 
be used in future efforts. 

Even with this progress, however, much work remains for VA to 
achieve truly effective management of information technology. I’d 
like to highlight what we believe are the key actions VA needs to 
do this. 

First, it’s extremely important that the department have the nec- 
essary information technology leadership by filling the CIO position 
which has now been vacant for almost 2 years. This is now more 
critical than ever, given Mr. Gracey’s planned departure. 

In the investment management area, VA needs to (1) establish 
and monitor deadlines for completing in-process reviews to ensure 
they’re done timely; (2) make sure lessons learned from post-imple- 
mentation reviews are communicated back to top decision-makers; 
and (3) for information technology investments below the thresh- 
olds established for the Capital Investment Board, follow through 
on plans to develop, update, and implement needed guidance. 

Regarding its vision of “One VA,” the department needs to reas- 
sess its compartmentalized strategy of having each component de- 
velop its own approach to achieving the “One VA” vision. It also 
needs to commit to developing an integrated information tech- 
nology architecture along with an implementation plan and mile- 
stones for when this will be completed. 

Finally, in the critical area of computer security, VA needs to 
continue working to address and resolve key weaknesses identified 
by the inspector general and by GAO. 

Mr. Chairman, you also asked us to briefly comment on three 
specific projects: The Master Veteran Record, VBA’s action to mod- 
ernize its systems, and VHA’s Decision Support System. Each 
project faces challenges. For example, linkage of the Master Vet- 
eran Record to VBA’s compensation and pension service line has 
been delayed, even though this could yield significant savings in re- 
duced overpayments. 
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Regarding VBA’s efforts to modernize its systems, two major 
projects we reviewed have been problematic; The $11.5 million 
compensation and pension replacement project has missed several 
milestones and currently has no expected completion date, while 
the $3 million education redesign effort was terminated without a 
product. 

Finally, although VHA has spent more than $200 million to de- 
velop and operate its Decision Support System, usage of the system 
for areas such as budget formulation, resource allocation, and 
health outcomes and effectiveness has been limited. 

In conclusion, while VA has made progress, it still must take ac- 
tion in several areas, and by committing to these actions and asso- 
ciated milestones for when they will be completed, VA will be in 
a much better position to provide quality service to their primary 
client — the veteran. 

That concludes a summary of my statement, and we’d be pleased 
to address any questions you may have. Thank you. 

[The prepared statement of Mr. Willemssen appears on p. 30.] 

Mr. Everett. Well, thank you very much. I must say that having 
started hearings on technology modernization program and com- 
puter programs over 5 years ago when I was chairman of Com- 
pensation and Pensions, I must tell you that where the VA has 
gone with this is extremely disappointing. 

I think we’ll alternate questions between myself and the ranking 
member, each taking 5 minutes. And let me start by asking you 
how much has VA spent on IT over the past decade, and if you 
would break that down between VBA and VHA and NCA. 

Mr. Willemssen. Unfortunately, Mr. Chairman, we can’t give 
you a precise estimate even of how much money has been spent. 
I don’t believe, in all honesty, VA can give you an honest answer 
either because it does not have an adequate cost accounting system 
to be able to track those costs, an issue that we brought to your 
attention in testimony about 4 years ago. 

I know that VA is trying to address this issue, but it has not 
been fully addressed yet. Therefore it is difficult for us to estimate 
how much has been spent. 

You mentioned in your opening statement that this is no small 
amount. In the last 3 years, it’s averaged slightly over $1 billion 
annually. There is a great deal of money being spent, but precisely 
how much I think remains a bit unknown. 

With VA committing to a more thorough investment manage- 
ment process for IT projects, I think it will begin to get a better 
handle on its cost, but VA will still need a good cost accounting 
system. 

Mr. Everett. Let me see if I understand what you’ve just told 
me. What you have just told me is not only can the VA not tell me 
how much each of these departments has spent, but if I understand 
you, they can’t tell me how the money was spent? 

Mr. Willemssen. It’s been very problematic for us to get this in- 
formation. Yes, I don’t believe VA will be able to tell you on a uni- 
versal scale. 

Mr. Everett. In short, they can’t balance their books on this 
money? 
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Mr. WiLLEMSSEN. For the information technology projects, we’ve 
been unable to identify the cost information. Correct, sir. 

Mr. Everett. And we’re talking over the last 4 years, between 
$4.5 and $5 billion? 

Mr. WiLLEMSSEN. It would be in that neighborhood, yes, Mr. 
Chairman. 

Mr. Everett. Apparently the cost accounting for the VA is not 
progressing all that well. You know, you gave me your first report, 
I can’t remember, 4 or 5 years ago on this, and at that time we 
couldn’t find out where the money had been spent, either. 

Mr. WiLLEMSSEN. Yes. 

Mr. Everett. And we were very interested in seeing the VA gets 
some sort of cost accounting. It seems to me that, you know, if it’s 
4 years, that’s an awfully long time. 

Mr. WiLLEMSSEN. Yes. Not to give excuses for VA, but it did have 
one major project that did take priority, and as you mentioned in 
your opening statement Y2K became the top priority for the de- 
partment. So that in part pushed the cost accounting aside, unfor- 
tunately. But, it’s still absolutely necessary to know how your 
funds are being spent, more importantly, what kind of benefits are 
we getting for this money? How is it improving service to the vet- 
eran? VA is committed to starting to get this information. This 
commitment unfortunately was lacking in the past, Mr. Chairman. 

Mr. Everett. Well, I’m extremely pleased with the way that VA 
handled the Y2K problem. Perhaps what you don’t know is I called 
officials of the VA into my office and asked them point blank: 
whose head is going to roll if this is not done correctly? And I was 
given assurances that it would be done correctly. And I guess the 
chairman, either myself or perhaps Ms. Brown next year, is going 
to have to do the same type of thing to get this cleared up. We sim- 
ply can’t have billions and billions of dollars spent and services to 
the veterans not improved. 

We just got through a full committee meeting where we’re all 
disturbed about not being able to go beyond the budget within the 
VA to give more money to the Montgomery GI Bill. It’s this com- 
mittee’s responsibility to see that this money is spent correctly. 
And I’ll tell you, it gets kind of frustrating at times. 

How much has the VA invested in the VETSNET project over the 
last 8 years? 

Mr. WiLLEMSSEN. Based on available information, we testified 
approximately 4 years ago that it had spent about $284 million, 
and we’ve seen another approximate $100 million since then. Ac- 
cordingly, over a 14-year timeframe, we know that at least $384 
million was spent on the collection of projects known as VETSNET. 

Mr. Everett. And how well was that money spent? What did we 
get for that money? And if we didn’t get what we should have got- 
ten, if some of the money was wasted, why was it wasted? Has it 
to do with contracts or 

Mr. WiLLEMSSEN. I’d like to answer that in this way, Mr. Chair- 
man. It’s critical that VA have an investment management process 
in place so it can demonstrate the benefits associated with these 
investments. Until recently, this process wasn’t in place. As a re- 
sult, we do not have any kind of precise detail on the benefits asso- 
ciated with particular projects. 
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On VETSNET, we focused on the C&P replacement effort and 
the education redesign effort, which totalled were about a little 
over $10 million. For these two projects, we could not readily iden- 
tify any benefits associated with improved services to the veteran. 

Mr. Everett. Before I pass on to our ranking member, didn’t the 
GAO recommend termination of the VETSNET project, and wasn’t 
there also other recommendations from other sources on 
termination? 

Mr. WiLLEMSSEN. Yes, sir. We testified before you in 1996. One 
of the issues that we brought to the table then was the fact that 
VA’s software development capability was ranked fairly low and 
characterized by ad hoc and chaotic processes. We recommended 
that until VA had significantly improved its process to a more ma- 
ture level, it should delay any new investments in software-inten- 
sive projects. 

Mr. Everett. I recall some 4 years ago that they were using 
COBOL in some of their software? 

Mr. WiLLEMSSEN. Some of their software is still in COBOL. 

Mr. WiLLEMSSEN. Ms. Brown. 

Ms. Brown. First of all, I want to thank both of you for the long 
hours and hard work you put in over several years to help prepare 
us for the Year 2000 rollover. Without your help and dedication, we 
would probably be talking about some of the problems that we were 
experiencing with Y2K. So, thank you, thank you. 

Mr. WiLLEMSSEN. Thank you. 

Ms. Brown. What were the three-to-five most important lessons 
that the Department should have learned from its preparation ex- 
perience that can be used to improve the way it does information 
technology in the future? 

Mr. WiLLEMSSEN. One, top management leadership and involve- 
ment. This was a priority at the most senior levels of the depart- 
ment, and that priority really filtered down throughout the organi- 
zation. There was no question in the minds of VA staff about what 
they needed to do on Y2K. So I think this is valuable lesson 
learned on what is needed to tackle some of the issues that we’ve 
discussed today. 

Secondly, I think effective project management, making sure the 
kind of tools that were used on Y2K can also be appropriately used 
to tackle some of the efforts here today. 

Third, I strongly believe in milestones. With Y2K, we had a mile- 
stone that wasn’t going to change. I think on these kind of informa- 
tion technolo^ projects it’s important to get the department to 
commit to doing certain actions smd say when they are going to 
have them done so that you can track how well they are doing in 
carrying out those actions. So I think delivering on those mile- 
stones is also very important. 

I would add that VA overall is in a much better position to man- 
age its information technology now than it was a couple of years 
ago because of Y2K. This is because they now know what they 
have. This is the case in many agencies throughout the Federal 
Government. Many agencies were lacking a basic inventory of their 
systems, and they were forced to inventory their systems because 
ofY2K. 
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Ms. Brown. Just to follow up, what is your assessment of top 
management’s commitment and support of information technology 
today and what would you base that assessment on? 

Mr. WiLLEMSSEN. Well, I think VA has taken actions to dem- 
onstrate their commitment to IT through the Y2K project and 
through some of the actions they’ve taken in the investment man- 
agement area. But one of the most important things that needs to 
occur is making sure that top IT officials are in place. 

As we mentioned in our testimony, the CIO position has been va- 
cant now for almost 2 years, and now we have Mr. Gracey getting 
ready to depart. Top level departures like this are a cause for con- 
cern. Leadership is really a pivotal element to making this all 
work. 

Ms. Brown. VA was really a leader as far as Y2K, and I’m really 
pleased with that. There is another area, and that area is informa- 
tion security. I don’t guess I have to say too much about it, but do 
you think that VA is prepared to take leadership in that area also? 

Mr. WiLLEMSSEN. One, VA does have some difficulties, but so do 
the vast majority of other federal agencies, so it is not alone. Com- 
puter security is probably near the top as one of the most impor- 
tant IT issues that we have to deal with. So I think there is a level 
of commitment. We’d obviously, again, like to see more done, and 
we have some outstanding recommendations. So, again, we’d like 
to see a commitment on the part of VA to make sure those are done 
as quickly as possible. 

Ms. Brown. Are you going to give us those recommendations? Is 
this a part of your testimony today? 

Mr. WiLLEMSSEN. We issued a report in late 1999, fall 1999, that 
discussed some of those recommendations on access controls, pass- 
word controls, and segregation of duties. I believe the inspector 
general, who will be coming up next, may also have recommenda- 
tions since they’ve reported on this, providing more detail on what 
they found in the computer security area. 

Ms. Brown. Thank you. Mr. Chairman, I ^eld back my time. 

Mr. Everett. Let me pick up on something Ms. Brown brought 
up. How many VA senior IT management positions are filled with 
acting people or are vacant? 

Mr. WiLLEMSSEN. One, the department level CIO is vacant and 
has been for almost 2 years now. Mr. Gracey as the principal will 
be departing at the end of the month, so that’s a second one. I be- 
lieve Austin Automation Center is currently vacant, and the VHA 
CIO position is currently vacant and the person who is acting is 
carrying out two responsibilities. I understand VHA is moving ag- 
gressively to try to fill this position, so that’s four that I can iden- 
tify off the top. 

Mr. Everett. Have you any idea abopt second-tier folks? I know, 
for instance, at Austin we have some sectjnd-tier vacancies. 

Mr. WiLLEMSSEN. If I may, I’d defer to Ms. Lew. 

Mr. Everett. Certainly. Ms. Lew? 

Mr. WiLLEMSSEN. Can you fill in on any secondarj? positions? 

Ms. Lew. I’m not aware of any. I know the key one is the director 
of the Austin Automation Center. VBA just recently hired a CIO, 
and I think we have an acting deputy CIO at VBA. 



8 


Mr. Everett. I believe the director of financial services at Austin 
is also vacant. This begs the question, why? 

Mr. WiLLEMSSEN. Well, I think that gets back to the issue of 
commitment also, and making sure that IT is an important issue 
that’s being addressed at the department. The best way to address 
it is getting top leadership in there engaged, directed, and focused 
on IT. 

Mr. Everett. Has the VA fully implemented the most crucial 
critical elements of the Clinger-Cohen Act? 

Mr. WiLLEMSSEN. It overall has not implemented the majority of 
those elements. Included among those would be implementation of 
a chief information officer, which we just talked about. Secondly, 
they do not at this point have a department-wide integrated archi- 
tecture. Third, they do not have a unified department-wide strategy 
for reassessing their business processes to improve services to the 
veteran. 

In the investment management area, which is also a key compo- 
nent of Clinger-Cohen, they have made progress and implemented 
much of the provision in Clinger-Cohen, although we point out a 
few other areas within that they still need to work on. 

Mr. Everett. The areas where they have not acted, what will 
the impact be? 

Mr. WiLLEMSSEN. The impact is the risk of continuing to have 
projects over cost, behind schedule, and without a clear designation 
of what the benefits are- associated with those projects. And the 
bottom line is, will they achieve their One VA vision if they con- 
tinue to take a compartmentalized approach to reassessing their 
business processes? 

Mr. Everett. The capital investment decision-making process is 
relatively new, but of course it’s a really important step. Does the 
process assure that the projects proposed are the right ones to 
carry out the vision of, rather than having three VAs, having one 
VA? 

Mr. WiLLEMSSEN. As it stands now, 1 think the risk is that you 
move more in the direction of three VAs rather than one. I think 
the department needs to reassess this strategy and look more at a 
unified approach so that the focus is on the veteran, whether it’s 
health or benefits. This would also help reduce the potential for 
redundancies between the different components of VA and can as- 
sist in cost reductions. 

Mr. Everett. Well, we know Deputy Secretary Gober has that 
as one of his goals. But where are we missing? What’s happening 
here when you’ve got the Deputy Secretary, who I personally know 
to want the One VA project to be a success — he strongly wants it — 
yet it’s not getting done? 

Mr. WiLLEMSSEN. Well, I think in part what you have is the ben- 
efits side and the health side still feeling that they want to imple- 
ment their projects to improve their processes. I think it’s some- 
times fairly natural that individuals within their organizations 
want to pursue their particular investments. I think what’s nec- 
essary is a strong chief information officer in place with a depart- 
ment-wide focus. I’m not sa 3 nng that VBA and VHA can’t pursue 
such efforts, but they need to make sure that they link up in an 
integrated fashion with the overall One VA vision. 
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Ms. Brown, do you have any additional questions? 

Ms. Brown. Yes, sir. I’m concerned when I hear that VA is sim- 
ply automating old models that have always been used, and that 
what they really need a system based around a veteran rather than 
a program. How valid is this assessment, and what does VA need 
to do to provide effective, seamless, One-VA service to American 
veterans and their families? 

Mr. WiLLEMSSEN. I think that is a valid point. Increasingly, VA 
needs to look at who its primary client is, and that is the veteran, 
and how can we best serve that veteran. In an ideal sense, veter- 
ans would want to be able to get from the department information 
on exactly where they stand not only on the benefits side but also 
the health side. To the extent that the department had the nec- 
essary security and privacy, you would, in an ideal sense, want to 
see that kind of information readily available in an electronic form 
so that a veteran could immediately access that information. 

To the extent the department continues to take more of a com- 
partmentalized approach, it will be that much more difficult to 
achieve that kind of a vision. Therefore, we think is necessary is 
to move away from that component agency approach and take a 
more unified department-wide approach. 

Ms. Brown. One last question, Mr. Chairman. How well is the 
VA preparing for the future that will have an increasing number 
of veterans wired and able to communicate with the department? 
Of course, this question goes beyond information technology, it in- 
volves staffing and program administration. As people become more 
informed of their benefits, there will be more business. 

Mr. WiLLEMSSEN. This is exactly what VA focused on in the im- 
plementation of its vision for One VA and how it would provide in- 
formation to the veterans increasingly in electronic form while still 
retaining necessary security and privacy precautions and protec- 
tion? I think clearly that this is the direction the department needs 
to head. 

Ms. Brown. I 3 aeld back my time, Mr. Chairman. Thank you. 

Mr. Everett. Thank you. Assuming we get the One VA and reap 
all the wonderful benefits that we all agree could happen there, is 
it just too much to hope for that VA computers could ever talk to 
DOD computers and solve some of our problems there? 

Mr. WiLLEMSSEN. I think that’s a lofty goal, but I think — and 
that’s what we should be shooting for is to try to have one mas- 
ter — truly one veteran record, rather than just a messaging system. 
I think this is still a goal that’s worth shooting for. But at least 
initially, we’d like to see VA do it on a department- wide level. 

Mr. Everett. Thank you very much, and I thank you for your 
testimony. 

Mr. WiLLEMSSEN. Thank you. 

Mr. Everett. And now I’d like to call Richard Griffin, the Inspec- 
tor General for the VA. And Mr. Griffin, if you will, please intro- 
duce your staff. 

Mr. Griffin, as usual, I want to ask you to hold your testimony 
to 5 minutes, and your complete statement will be made a part of 
the record. And you may proceed at any time. 


66-494 00 -2 
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STATEMENT OF RICHARD J. GRIFFIN, INSPECTOR GENERAL, 

DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY 

MICHAEL SLACHTA, JR., ASSISTANT INSPECTOR GENERAL 

FOR AUDITING, DEPARTMENT OF VETERANS AFFAIRS 

Mr. Griffin. Thank you. I’m accompanied by Mike Slachta, who 
is my assistant inspector general for audit. 

Mr. Chairman and members of the subcommittee, I am pleased 
to be here today to comment on the Department of Veterans Affairs 
Information Technology program. Mr. Slachta, who joins me today, 
you may recall, testified last year before this committee and pre- 
sented audit work we completed on the department’s successful 
Year 2000 effort. 

During the last several years, the Office of Inspector General has 
reviewed selected VA IT system development initiatives, procure- 
ments and capital asset acquisition practices that identified oppor- 
tunities where the department could enhance its IT investment ef- 
forts. Our IT review efforts have also focused on departmental in- 
formation security controls. 

While the department is taking certain positive actions, our au- 
dits have found that the department needs to more fully assure 
that IT resources are effectively used and client IT needs are effec- 
tively met. 

Effective management and oversight of VA’s IT investment is 
critical, given the significant fiscal year 2000 investment of over $1 
billion. 

Our review efforts have identified opportunities for enhance- 
ments in key VA system developments involving Electronic Data 
Interchange, human resources and payroll, and a management in- 
formation system to support delivery of health care to veterans. 

For example, in 1999 we conducted an audit of the Veterans 
Health Administration Decision Support System or DSS. DSS rep- 
resents VHA’s first automated managerial cost accounting system 
for the delivery of health care. Our audit found that the potential 
usefulness of DSS was compromised because some VA Medical 
Center staff had diverged from the DSS system’s basic structural 
standard. Where such divergence occurred, it prevented data from 
being accurately aggregated. 

We recommended and the Under Secretary agreed that DSS can 
only achieve its full potential if VHA ensures that the medical fa- 
cilities follow the standard DSS structure. Our audit report esti- 
mated that as of September 1998, VHA investment in DSS was 
about $140 million. 

Our review efforts have also identified opportunities for VA to 
enhance the efficiency and effectiveness of IT contracting initiatives 
and assure that the department’s IT capital investment process ad- 
dresses the requirements of the Clinger-Cohen Act. 

For example, in 1999 we audited the procurement initiatives for 
the VA telecommunication support, known as the Integrated Data 
Communications Utility, or IDCU. The audit identified issues in 
the 10-year-old IDCU contract that adversely impacted VA oper- 
ations and costs. The IDCU system and contract were no longer 
meeting VA’s telecommunication requirements effectively or effi- 
ciently. Key audit findings included: 
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(1) Contract modifications totaling $142 million were not sup- 
ported; (2) VA spent approximately $3.1 million leasing and main- 
taining unused data ports over the life of the contract; and (3) VA 
needed to recover over $1 million in payments to the contractor for 
a Performance Management System that was not accepted. 

We also advised the department that it needed to conduct a for- 
mal risk assessment to adequately assess, manage, and mitigate 
the levels of risk associated with transitioning to a new wide area 
network solution. 

In response to a request from the Principal Deputy Assistant 
Secretary for Information and Technology, we included a review of 
the IT acquisition process as part of our regularly scheduled Com- 
bined Assessment Program reviews. So far, our CAP reviews at 
VAMCs in Dublin, GA; Biloxi, MS, and Denver, CO did not identify 
any IT procurement problems. 

Finally, our review efforts over the last several years have identi- 
fied department-wide weaknesses in information systems security 
that continue to make VA’s program and financial data vulnerable 
to error and fraud. 

Audit tests completed this year continue to demonstrate wide- 
spread system security control weaknesses. Our security control 
testing found that access controls and monitoring were ineffective. 
Our penetration tests at VBA demonstrated that weaknesses al- 
lowed us to obtain privileged access from outside and inside VBA 
to significant computing resources without being detected. 

In addition, significant weaknesses in the automated data proc- 
essing general controls also continued within VHA. For example, at 
one facility we determined that 3,860 users inappropriately had the 
ability to obtain one of the password files, and that 90 accounts re- 
mained active despite the fact that owners had not signed on the 
system in more than a year. 

We have reported system security control weaknesses in our 
1997, 1998, and 1999 financial statement audits and made rec- 
ommendations for VA to implement a comprehensive security pro- 
gram that would improve access controls. 

During 1999, VA had proposed and taken a number of corrective 
actions that could result in an effective security pro^am with 
strengthened access controls. However, these efforts are just begin- 
ning to be implemented and have not had time to permeate the en- 
tire organization. 

This concludes my testimony. We’ll be pleased to answer any 
questions that you may have. 

[The prepared statement of Mr. Griffin appears on p. 53.] 

Mr. Everett. Mr. Griffin, theuik you very much for your usual 
complete testimony. We have great indebtedness to you in this 
Subcommittee for the wealth of OIG information that you’ve given 
us over the years. 

I just want to talk about the audit on Veterans Health Adminis- 
tration. It indicates a lack of any standard practice in the collection 
of data. From my viewpoint, I think is probably another example 
of lack of senior management getting involved, and also lack of the 
integrity for the discipline of the data gathering. 

I recall back when this first came up 4 or 5 years when we were 
talking about, it seemed like everybody and their brother on every 



12 


local level was interfering with or writing their additions to the 
source codes, and we couldn’t find a clean source code an 5 rwhere to 
get started on. Could you comment on that? 

Mr. Griffin. I would say regarding the awareness of senior man- 
agement in VHA, after we had started this DSS audit, and while 
it was still in progress. Dr. Kizer asked us to look at whether or 
not you could trace the funding in VHA, that is, as they moved 
from an inpatient to an outpatient scenario, whether there was suf- 
ficient data available to demonstrate that not only had they shifted 
to outpatient care, they also had moved the commensurate amount 
of dollars to outpatient care. 

Looking at DSS — which was supposed to track cost of health care 
and management decisions for allocation of money for health care 
we realized that there were approximately 20 to 25 percent of the 
facilities that had not implemented DDS. As a result, when you try 
to analyze the data on a national basis, you find you don’t have 
good numbers to work with. 

So I think DSS is a good system. It’s a system that is needed in 
order to know how to allocate the funding, but when the system 
was put out there, I don’t think there was sufficient training pro- 
vided, and there wasn’t sufficient staffing put in place to make the 
system work the way it could work. 

Mr. Everett. I agree with you, it’s a good system. Having said 
that, why hasn’t VHA enforced data standardization issue? Why 
have they been lax on it? 

Mr. Griffin. I think until we did the audit, their level of aware- 
ness as to the amount of participation wasn’t what it should have 
been. 

Mr. Everett. My question remains why? Who knows? 

Mr. Griffin. Well perhaps VHA can answer that question. 
Thank you. 

Mr. Everett. Ms. Brown. 

Ms. Brown. Thank you. The recent Love Bug virus illustrates 
the weakness of the information systems in general. You note in 
your testimony that you’ve been able to infiltrate the system using, 
in your words, unsophisticated methods and exploring configura- 
tion weaknesses. Your report makes me nervous — very, very nerv- 
ous. What is your level of confidence that the VA plans for informa- 
tion security will provide needed protection, and what else would 
you recommend that the VA do? 

Mr. Griffin. I would concur with my colleague who preceded me 
that it’s a government-wide problem and it’s a private sector prob- 
lem also. We will be issuing a draft report, if we haven’t already 
in the last couple of days, on that penetration activity. 

There are things that can be done that aren’t nuclear physics, 
but which require that you focus on the process. And then once you 
establish what your system is going to be, you have to hold people 
accountable for making it work. Some things as simple as changing 
passwords and the number of characters and letters in your pass- 
words being changed quarterly, which is something that the de- 
partment has adopted in recent months, is not something that, 
again, requires a person to be a genius. It’s a problem of having 
a huge, decentralized organization and making sure at every one 
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of those facilities out there, that somebody is in charge of making 
sure those things happen. 

Ms. Brown. You reported weaknesses in 1997 and 1998, and 
that the VA began to address these issues in 1999. What is the VA 
doing to address these very serious problems that you’ve found? 
You mentioned a couple of things. I think this is the greatest secu- 
rity issue that our whole nation, as you said, is faced with. 

Mr. Griffin. It is. And it’s complicated by having different ad- 
ministrations on different systems. I think that you have to estab- 
lish what your security protocols are going to be, and then you 
have to make sure that at each of your major facilities, you’ve got 
a security officer who is paying attention to these issues. 

Ms. Brown. Well, we just were attacked by a 15-year-old from 
the Philippines. What if a nation decided to go in there and attack 
us? 

Mr. Griffin. It’s a serious problem. 

Ms. Brown. I know that it’s a serious problem. I know that. But 
what are some of the solutions? 

Mr. Griffin. Well, I’ll ask Mike to speak to some of the rec- 
ommendations that are going to be in our draft. But we’re reluctant 
in that penetration study to put too many specific things on the 
record, because it’s easy enough already for people to penetrate the 
system and we don’t want to make it easier for them. 

But having said that, I’ll ask Mike to speak to some of the other 
specifics. 

Mr. Slachta. Let me say that one of the things that the depart- 
ment has recently done is they’ve entered into an enterprise-wide 
assessment of the information security risks. They let a contract in 
December of 1999 to take a look at what their risks are. They’ve 
also established a response team, a critical infrastructure response 
team, so that when they find violations of security they can get to 
the situation, find out what the problem is, and correct it. 

'There is no easy solution to the security issue. The biggest prob- 
lem right now is first finding out what their risk is, and they need 
to do the risk assessment. That’s what the enterprise-wide contract 
should do for them. Then each one of the identified risks needs to 
be addressed. 

Our study makes recommendations for very specific types of 
vulnerabilities that need to be corrected, and the department’s re- 
action to our draft and to our briefings has been very positive, as 
it should be. 

Mr. Everett. Would you all stand by? We’re trying to find out 
what’s happening on the floor. Unfortunately, it appears that we 
have five votes, which means that we’re going to be gone probably 
at least 30 to 40 minutes. And I have no choice, although I’d love 
to get through, I have no choice but to recess the hearing. But prior 
to doing that, let me dismiss this panel and thank you again for 
your participation. 

[Recess.] 

Mr. Everett. The committee will come to order. 

Harold Gracey is the Principal Deputy Assistant Secretary of In- 
formation for the VA. And Mr. Gracey, if you will. I’d appreciate 
it if you would introduce your staff that you brought with you, and 
after that, you can begin your testimony. 
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Mr. Gracey. Thank you, Mr. Chairman. To my far left is Mr. 
Charles DeCoste, who’s the Director of the Data Management Of- 
fice in Veterans Benefits Administration. To my immediate left, 
Ms. K. Adair Martinez, the new CIO for the Veterans Benefits Ad- 
ministration, who we’re very happy to have on board with us. To 
my right, Mr. Charles Yarbrough, who’s the Acting CIO of the Vet- 
erans Health Administration. And to his right, Dan Marsh, who’s 
the Associate CIO in the Veterans Health Administration. 

Mr. Everett. Before we get started, Mr. Gracey, let me point out 
at the outset that this Subcommittee would like to recognize you 
and your efforts in strengthening and reforming the VA’s IT pro- 
grams. You’ve certainly made a difference in the short time that 
you’ve headed IT. You’ve started to pull together what has been 
poorly focused, poorly coordinated, and very weak management 
practices. You’ve started to bring some order and direction to it 
with critically needed reforms. 

We recognize that you and your staff were also the driving force 
behind the VA’s highly successful Y2K program. And we appreciate 
your efforts to begin the IT integration of the three VAs into One 
VA. 

Your retirement after 30 years of government service, 17 years 
of which have been spent within the VA, will leave big shoes to fill. 
I don’t know how VA will replace your institutional knowledge and 
the sharply honed management skills that you have. The VA’s 
challenge now is to go and build on what you’ve started. 

So we certainly wish you the best in your upcoming retirement 
and your future endeavors in the private sector. If you will now 
please proceed with your testimony, I would ask you to hold it to 
5 minutes, and your complete testimony will be made a part of the 
record. 

STATEMENT OF HAROLD F. GRACEY, JR., PRINCIPAL DEPUTY 
ASSISTANT SECRETARY FOR INFORMATION TECHNOLOGY, 
DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY 
C.V. YARBROUGH, ACTING CHIEF INFORMATION OFFICER, 
VETERANS HEALTH ADMINISTRATION; DAN L. MARSH, 
ASSOCIATE CHIEF INFORMATION OFFICER FOR IMPLEMEN- 
TATION AND TRAINING, VETERANS HEALTH ADMINISTRA- 
TION; K. ADAIR MARTINEZ, CHIEF INFORMATION OFFICER, 
VETERANS BENEFITS ADMINISTRATION; CHARLES R. 
DeCOSTE, DIRECTOR, DATA MANAGEMENT OFFICE, VETER- 
ANS BENEFITS ADMINISTRATION; AND VINCENT L. BARILE, 
DIRECTOR OF OPERATIONS SUPPORT, NATIONAL CEME- 
TERY ADMINISTRATION 

Mr. Gracey. Thank you, Mr. Chairman. Thank you for those 
kind remarks. 

I’d like to spend my time today just describing for you some of 
the progress we’ve made in the last 2 years, since this organization 
was established. 

I think we’ve accomplished a lot. However, I want you and the 
subcommittee to know that my colleagues here and I recognize, sir, 
that we have much further to go, especially in light of the increas- 
ing role information technology plays in the delivery of health care 
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and benefits and memorial services to our nation’s veterans, as in 
our own personal lives. 

Let me just quickly review that progress. As I said earlier, and 
it speaks to the senior management attention that you and Con- 
gresswoman Brown spoke about earlier, the Secretary established 
the position of an assistant secretary for information and tech- 
nology to be the department’s CIO about 2 years ago in recognition 
of how large a job information technology was. That was paralleled 
by the creation of CIOs in the major components to give the depart- 
ment CIO colleagues to work with. Working together as One VA, 
as you so kindly mentioned, we overcame the Y2K challenge with 
the very crucial support of you and your colleagues on this Sub- 
committee, and I want to personally thank you for your support. 

I suggest the Y2K model actually is the one that we should emu- 
late in moving forward and working together to attack the rest of 
the IT issues in the department. 

We were also confronted at this same time, with the emergent 
need to replace our wide area network, which is the data network 
that carries all the electronic transactions that support the delivery 
of health care, benefits and memorial services. We met that chal- 
lenge, again operating in a One VA manner, and are well along in 
transitioning to the new network, which is a public network for 
which the General Services Administration contracted. 

I met early on in my tenure with Mr. Willemssen from GAO and 
asked for his support and advice in steering me toward examples 
of best practices of implementing the Clinger-Cohen statute in gov- 
ernment. Our focus, and therefore our accomplishments in the last 
2 years, have been modeled on those best practices that Mr. 
Willemssen pointed me toward. We have developed a One VA infor- 
mation technology strategic plan that we revise regularly. It sets 
the framework for using information technology to improve service 
to veterans. 

We established the VA-wide technical architecture, which has 
been supplemented by architecture efforts in VBA and VHA. Fur- 
ther expansion and refinement of those efforts is ongoing, and I 
know that’s something of interest to you and the subcommittee. 

We’ve implemented a rigorous capital planning and investment 
process which has been recognized by 0MB and others as one of 
the best in government. We use it to review our plans for large ex- 
penditures at multiple levels, which culminates in a review and 
recommendation by the deputy secretary on all large projects as 
chairman of the Capital Investment Board, and by the Secretary as 
chair of the VA Resources Board. 

We’re pursuing a streamlining of our data center operations on 
which we reported to Congress earlier in the spring. We still need 
to resolve some issues with you before proceeding with that, but we 
believe it is a real money saving and service improvement effort 
and hope to be able to answer the questions that have been put to 
us in the short term. 

We’ve devised and begun implementation of a One VA informa- 
tion security program, a key element of our stewardship of the de- 
partment’s systems and veterans data, and a key piece of our archi- 
tecture, because it will allow us to expand electronic service to 
veterans. 
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Under Deputy Secretary Gober’s great leadership, we’ve had five 
national One VA planning conferences, which have been water- 
sheds, from my perspective, in moving toward one department, not 
stovepipes. They’ve truly been transformational events — and I don’t 
say that lightly — which have led to a number of business process 
reengineering efforts, many of which are IT-focused. 

In summary, as I said when I began. I’m proud of what we’ve 
been able to accomplish just in the last 2 years, and I’m personally 
and professionally grateful for the efforts of all involved, including 
you and the other members of this Subcommittee and our IG 
partners. 

I’m very proud to have been able to participate in the beginning 
of this transformation, but I reemphasize that the challenge isn’t 
small. VA is one of the largest and most complex organizations in 
the world, with more than $150 million of business moving through 
our systems every day. My colleagues and I recognize the mag- 
nitude of the challenge and realize that much remains to be done 
before success can be declared, but I would hope in subsequent 
years we are here — or they are here — to declare that success to 
you. We know it’s a big job and an important one. 

But I’d close by saying I guess this isn’t ultimately about infor- 
mation technology or perfecting the implementation of the proc- 
esses and procedures that make up the Clinger-Cohen Act. It’s in 
fact about the results, as you said earlier: Enabling the creation of 
One VA in a very real sense; creating in the department a world 
class organization at which every veteran and family member feels 
welcome, feels like they’re accessing their department which they 
own, not the government, as we’re so often characterized. It’s about 
our mission, and we know that, sir, and we’re here to commit to 
you to move on and do in the rest of IT what we’ve done in the 
past. And we’re ready for your questions. 

[The prepared statement of Mr. Gracey appears on p. 59.] 

Mr. Everett. Well, thank you very much. You state that in May 
1999 VA published a department-wide technical architecture. I un- 
derstand that this sets the standard to be followed in the design 
or acquisition of new information systems. It also addresses the 
interoperability and compatibility of your systems. How could you 
have done this when GAO’s testimony today states that neither 
VBA nor VHA have fully defined and documented their current ar- 
chitecture, IT architecture? 

Mr. Gracey. Well, the Clinger-Cohen Act suggests, and subse- 
quent guidance about it suggests that the architecture is really a 
multilayered undertaking, only one piece of it being the technical 
piece which I referred to and you just described. 

We did put together the technical architecture with the work of 
a department-wide working group that included VBA and VHA. 
Mr. Willemssen’s statement and GAO’s work criticizes us, and I 
think fairly, about not going and developing the remaining levels 
of that architecture that started with the business level and 
worked down to the more discrete data levels. Those are works in 
progress across the department. We are not as far along as we 
would like to be, but we are working at it. 

Mr. Everett. In that regard, let me also point out that the 1998 
GAO report states that the VA has not defined or developed a de- 
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partment-wide integrated architecture and needed to develop a de- 
tailed implementation plan with milestones for completing such an 
IT architecture. The VA concurred with this finding. Where is the 
plan, and what are the milestones? Can the VA truly become a One 
VA without an integrated plan? 

Mr. Gracey. There is no overall plan and no milestones, Mr. 
Chairman. In fact, I think Mr. Willemssen correctly characterized 
that we got ourselves into a bit of an emergent situation with Y2K, 
and clearly that’s the first thing that I worked on when I took over 
this job was making sure we were going make that date certain. 
We have rededicated ourselves since doing that to the One VA 
planning conferences which help establish the business level of the 
architecture and the direction that we want to go as an 
organization. 

We’ve included reference to fulfilling the interoperability of the 
technical architecture in all of our capital investment decisions and 
all of our new project plans. And I guess what I would close by say- 
ing is we’ll deliver you a plan and a schedule as soon after this 
hearing as we can so that we check off that notch on the Clinger- 
Cohen implementation. 

Mr. Everett. In other words, what you’re telling me, there is no 
plan today? 

Mr. Gracey. There is no plan to finish the department-wide ar- 
chitecture that exists on paper today. 

Mr. Everett. How about the milestones? 

Mr. Gracey. With milestones. No, there isn’t. 

Mr. Everett. Well, that’s, as you know, been a continuing prob- 
lem, not before this Subcommittee, but 4 or 5 years ago when I was 
looking at this same problem as chairman of Compensation and 
Pensions, we couldn’t get a plem. And we had an awful lot of folks 
coming in here and saying, well, we’re going to get a plan together 
and we’re going to be able to do it. I referred to it as a road map, 
or of course many years ago it was called management by objec- 
tives, and none of that seemed to be a focus. And I don’t doubt your 
word nor that the staff is dedicated to doing this, but I will have 
to tell you that I’ve kind of heard this kind of thing before. 

Mr. Gracey. I know you have, sir. I’ve been here when you’ve 
heard it before. I would like to correct at least the perception that 
I think I hear. We do have an overall information systems strategic 
plan that follows the department’s strategic plan that lays out the 
direction in which we’re going. What we don’t have a plan for is 
the development of the specific 

Mr. Everett. What I call MBO 

Mr. Gracey (continuing). The architecture. 

Mr. Everett (continuing). Management by objectives. Well, ac- 
cording to the GAO, the VA’s capital investment process for its pro- 
curements and projects that are less than $250,000 is less struc- 
tured. My subcommittee’s review of this issue indicates that there 
is very little oversight by the department on these sort of contracts, 
$250,000 and below. The department does not review these con- 
tracts in the broader context of what these contracts contribute to. 
Why hasn’t written guidance been issued to monitor and manage 
approved procurements or evaluate the completed projects? And if 
this isn’t in place, when can we expect it? 
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Mr. Gracey. Of $250,000 and below, sir? 

Mr. Everett. A hundred and fifty. Two-fifty. 

Mr. Gracey. We tiered our approval process, frankly to try and 
concentrate our efforts, our oversight efforts, on projects which oc- 
cupy most of the dollar resources. So the most rigorous process, the 
formal capital investment process, is in fact aimed at large-scale 
projects, those over $1 million for the staff offices, over $2 million 
for VBA, those over $10 million for VHA. Between $250,000 and 
the capital investment thresholds my staffs oversight time focuses 
on those through a formal review also. 

$250,000 and below, we ask that those spending the money ad- 
here to the architecture, adhere to the plans, and adhere to the 
general spirit of good government contracting and the law of good 
government contracting, but we aren’t involved in direct oversight, 
partially because of the large magnitude. 

Now I have asked the inspector general, which he said this 
morning he’s begun already, to review IT procurements as he does 
his regular inspections and audits of medical centers and regional 
offices so that we get a feel for first, are people fragmenting pro- 
curements to go under the $250,000 threshold? And second, are 
there things going on out there that are either ill-informed or ill- 
advised or illegal? And I would hope that I would continue to hear 
what he said this morning, which is of the medical center’s he’d 
done, he’s found nothing wrong so far. 

We’re concerned, but we frankly had to focus ourselves on the 
high dollar items at the expense of those smaller ones. 

Mr. Everett. In other words, we don’t have folks out there tak- 
ing million dollar contracts and breaking them down to $250,000 
contracts so they can escape review? 

Mr. Gracey. I hope we don’t. I wouldn’t promise you that we 
don’t. Our folks don’t think we do, and we haven’t seen any evi- 
dence in what we called in from the field in order to work with 
your subcommittee staff. But wherever there are people, there will 
be misbehavior, so I’m sure there are some people that aren’t fol- 
lowing the rules. 

Mr. Everett. Before I go to the I Love You virus, let me ask you, 
we obviously do not have a One VA at this point? 

Mr. Gracey. That’s true. But we’re much closer to it than we 
were 5 years ago. 

Mr. Everett. Will it be another 5 years before we get there? 

Mr. Gracey. I hope not. I alluded in my oral statements to my 
view of those conferences and their tran.sformational value, and I 
know some of your staff was at some of them, and I saw — I saw 
things that frankly I didn’t expect to see in terms of people working 
together. I also saw things that I didn’t expect to see in terms of 
the lack of understanding of people who worked in VA facilities in 
the same State not knowing enough about other people’s busi- 
nesses. That’s been a huge wake-up call for this department, and 
Hershel — Mr. Gober — has been sa 3 dng that since I began to work 
with him 7 years ago. It’s taken him with his personal force that 
long to get it this far. Now we have 2,500 disciples who attended 
those conferences hopefully going back and spreading that word to 
the other 200,000 employees, but it’s a big job. But it’s like a reli- 
gion — once it starts to take hold, people really do grab ahold of it. 
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Mr. Everett. Like you. I’ve known of Mr. Gober’s dedication to 
this for a number of years. And of course, I come out of a business 
background. And the performance so far department-wide would be 
completely unacceptable in the private world out there. You just 
simply couldn’t get away with this sort of thing. 

And there again, as I said, I know of his commitment to this 
from personal conversations I’ve had with the Deputy Secretary. 
And are we dealing with turf battles? What are we dealing with 
that it takes so long to get this accomplished? 

Mr. Gracey. What we’re dealing with and this is my opinion, 
this certainly isn’t an official information technology position, is a 
very large organization which is like a very large ship, and you 
turn the wheel, it takes a while before the nose starts to turn. 
That’s happened. 

The good news is, once it’s turned, it stays the course. I think 
top management leadership is crucial. You and Congresswoman 
Brown both said that this morning. A clear commitment from the 
top, a clear, continuing message from the top, through a period 
frankly of what will be transition for the department in the next 
year, is going to be crucial. And we’re going to need your help. The 
department’s going to need your help and the help of your col- 
leagues to keep us focused like you did on Y2K. And I for one think 
that’s a good oversight and focus role, because it’s good for the 
department. 

Mr. Everett. You know, it begs the question, if the ship is so 
large, should we have a smaller, more focused ship? And at some 
point I believe the Congress is going to ask that question. And I 
have said time and time again that the VA can be its own worst 
enemy in the long run if it doesn’t do something about what I have 
called the good old boy network. I’m not referring to any particular 
thing in this discussion, but it seems to be very difficult to get busi- 
ness plans from the VA. You know, I’ve been looking at this for 5 
years now, and it’s been very difficult to get there. 

My final question will be about the so-called “I Love You” virus, 
which my colleague has touched on in prior questioning. It caused 
disruptions worldwide. How did it affect the VA? Can improved 
computer security help protect the VA from such destructive vi- 
ruses and other unauthorized and criminal intrusions into the com- 
puters? The growing potential for an information disaster makes 
improvements in the computer security highly urgent for the VA. 

For instance, did the VA have to shut down any of its systems 
because of this particular virus? 

Mr. Gracey. We shut down our headquarters e-mail system 
early in the morning that morning. 

Mr. Everett. As a precautionary measure or 

Mr. Gracey. No. Well, as a precautionary measure to keep 
things from getting worse, but we were already crippled. And the 
same thing was true at some of the health care facilities across the 
country. It was less true in Veterans Benefits Administration be- 
cause of some differences in the systems. But it points out clearly 
the need for better security. The issue is for us implementing infor- 
mation security department-wide, since we’re all networked to- 
gether, so that the weakest link in the organization can’t make the 
whole system vulnerable. 
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It is our top concern. It’s something that I worry about every day. 
And we’ve also learned that we can’t live without electronic media 
anymore. There was a time when we weren’t quite as dependent 
on it as we are now. Now, work ceases when that information sys- 
tem isn’t available. So, yes, we’re attacking it. 

We’re in an awfully new era where we’re going to have to spend 
some energy, not just to do the technology part but to make or help 
managers and workers understand that their machine that they’re 
working at and their organization’s machine, if they run machines, 
if they run a hospital or a regional office or a cemetery operation, 
creates a window into our system through which a cyber burglar 
can crawl, and so we all have to implement consistent security. It’s 
up to people to implement good security at every desktop we have 
in the organization. It’s up to my organization and my colleagues’ 
organizations to implement automated controls that let us know 
that that’s happening. So it is a very tough situation, Mr. 
Chairman. 

Mr. Everett. Well, in training, taking a look at training, exactly, 
for instance the IG said just simply changing the password on a 
regular basis. What specifically is being done to alert VA employees 
that they have to look after their own desktop computer? 

Mr. Gracey. First of all, we put up web-based security training 
that every employee that has a desktop that has access to our 
Internet can use to access that training. That essentially raises 
awareness. But more specifically, the CIO Council several months 
ago created and adopted the policy of what we call strong password 
control, which consists of passwords of a certain length with dif- 
ferent kinds of characters than just the standard upper and lower 
case alphabet. 

Again, however — and we put that word out throughout the coun- 
try — it falls to top management at each facility, not just their sys- 
tems people or their security people, to make sure that’s imple- 
mented at every facility, and it goes back to human behavior. 
There are systems thing we can do to monitor its implementation. 
But so far, we have not devised a method to force its implementa- 
tion, although we may get there. But everybody’s got to be in- 
volved, and everybody needs to be aware. 

Mr. Everett. Well, I’m not real sure how ahead of the game that 
Congress can stay in this rapidly advancing technology that we see 
around us. But one thing the Congress could do and should do is 
to make sure that the penalties for this kind of thing — not only 
here in this country but internationally — are severe. This has 
reached a point where it’s no longer a kid’s joke. This is costing lit- 
erally billions of dollars. 

Ms. Brown. 

Ms. Brown. Thank you. Mr. Gracey, I would give you an A. You 
did a wonderful job of guiding the VA through the Year 2000 roll- 
over. I’m sorry to learn that you will be leaving for greener pas- 
tures at the end of this month, but I understand and wish you well. 

Mr. Gracey. Thank you. 

Ms. Brown. Your leadership over the last 23 months as acting 
chief information officer has been recognized throughout the IT in- 
dustry and has set a stable course for the Department. After many 
years of wrong turns and wasted efforts, Moses, too, could only see 
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the Promised Land from the mountaintop and had to leave it to a 
successor to get his people through. So I’m hoping that the depart- 
ment, with our help, Mr. Chairman, will be able to move on 
forward. 

Mr. Gracey. Thank you. 

Ms. Brown. I have a couple of questions. I noted that you re- 
ferred to the transfer of computer operations from Hines to Austin 
as a collocation rather than a consolidation. Would you explain the 
difference in the two concepts, collocation and consolidation, with 
regard to this case? 

Mr. Gracey. It’s actually a technical distinction that comes from 
the Office of Management and Budget’s definitions of the two 
terms. But collocation means taking like machinery and moving 
just the physical location of the operation. So in the Hines-Austin 
case, collocation represents establishing a Hone 3 nvell environment 
for the benefits delivery network in Austin like it has in Hines and 
just changing the place of operation. Consolidation w’ould be if we 
were to move all those functions over to the machinery that already 
exists in Austin and consolidate them all on one platform. In this 
case, it would be the IBM platform in Austin. 

Ms. Brown. I’m particularly interested in how that difference 
might affect program responsibility. That is, under each concept, 
who would be responsible if the VA checks don’t go out in time, the 
people in Austin or the people at Hines, because presently the sys- 
tem is working? The last thing any Members of Congress want is 
for the veterans not to get their checks on time. I can assure you 
of that. 

Mr. Gracey. I think clearly the responsibility would move from 
Hines to Austin for the checks going out. I think, however, the risk 
of that being a possibility are almost zero, because essentially we’re 
talking about — or at least the same as they are of it happening at 
Hines — we’re talking about moving similar equipment to a prob- 
ably more robust environment, thereby giving it greater protection, 
greater sophistication, and the ability to draw on more resources 
to help should anything go wrong. But clearly, the responsibility 
would lie with the operator of Austin. But just as clearly now it 
would now lie with the operator at Hines. And I don’t think moving 
introduces any risk of failure at all. 

Ms. Brown. Just one second. You know. I’m just confused, and 
perhaps there’s something that I don’t know, but why did we do the 
break-up in the first place? I don’t see that it’s going to be more 
cost-effective. A lot of people will be losing their jobs when they 
consolidate. From my understanding they’re going to have to buy 
additional equipment or new equipment. Perhaps you can give me 
a little history, because I’m not understanding why these needs to 
be a consolidation. 

Based on the reports I’ve gotten, we’re not really meeting the 
timetable. 

Mr. Gracey. We may need to provide some clearer information, 
but the facts as we put them forth after our analysis and actually 
VBA’s analysis, is that in fact the movement of the operation — the 
machine operation is what we’re talking about — from Hines to Aus- 
tin, VBA estimated would save $15.5 million over 4 years, which 
is the result, as you alluded to, of the elimination of the jobs that 
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exist to run that machinery and support it in Hines. Frankly, there 
would be fewer jobs to support the same operation in Austin, be- 
cause it’s a more modern environment and there’s more back-up on 
site, whereas Hines is a stand-alone operation. 

But we’ll be glad to provide some more information or come brief 
staff about the specifics. 

Ms. Brown. That’ll be fine. I would like that follow-up meeting. 
Because we do have limited time, I would appreciate it if we could 
get them to come to the office and brief the staff and me on it. 

Mr. Gracey. We’d be glad to do that. 

Ms. Brown. I yield back my time. 

Mr. Everett. I would assume before such a transfer took place 
down to Austin that you would have several test runs to make 
sure, just like we did in 2YK, to make sure all the bells and whis- 
tles were going off at the right time? 

Mr. Gracey. Yes. We in fact would run parallel for some ex- 
tended period of time to make sure that everything was fine. 

Mr. Everett. Right. 

Mr. Gracey. I would guarantee you that none of us at this table, 
even if we had left the employ of the department, would want to 
open our newspaper and find that we had broken our trust with 
veterans. That’s not a risk we’re willing to take. 

Mr. Everett. Well, I know Ms. Brown and myself both would 
feel much better knowing that would occur. 

Just briefly, a couple more things. You heard the GAO’s testi- 
mony. What is the VA doing to develop better cost accounting in 
the IT programs? We have billions of dollars spent, and the GAO 
tells us that they don’t know what it was spent on and they don’t 
know how much was spent. 

Mr. Gracey. I’d like to take two different approaches to that. I 
was a little startled to hear them say that they didn’t think we 
could account for what we had spent our money on for the last 10 
years, and at lunchtime during the break, my staff told me that 
they thought we could. So I’d like to go back and try and get that 
material and provide it to the staff and maybe have a conversation 
with GAO and the staff about that, because I think we can. 

Mr. Everett. Would you provide it for the record also? 

Mr. Gracey. We will do that. But the forward-looking part of the 
conversation really is how the capital investment process and the 
review of projects is going to affect us proactively. 

Each year we capture new projects or expanded projects or 
projects that are hitting a milestone the third year of their life in 
capital investment if they’re large projects. Over time — and time 
being 3 or 4 years — we’ll capture virtually 100 percent of all the 
large project money being spent in VA. We still won’t be capturing 
what you alluded to earlier, which is the smaller procurements out 
in the field, although with other means, we may capture them. But 
through capital investment, we’ll pull in information about what 
was planned and what is being spent on all the big projects, adding 
a portion each year as we go through the budget process. 

We’re feeding that into an automated system called I-TIPS — In- 
formation Technology Investment Processing System — that will 
give us the ability to audit, monitor and check “plan against ac- 
tual” over a long period of time for each project. And we think that 
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tool, which is also being used in the construction part of the capital 
budget, will give us a leg up in doing exactly what you’re asking. 
But it will t^e a year or two or three to capture all the data. 

Mr. Everett. One reason that sort of struck a chord with me is 
that I remember some 4 or 5 years ago when we got into discussing 
the computer modernization plan, first we were told $147 million 
had been spent. And we sent GAO into do an audit, and we found 
out that $300 million had been spent, and we couldn’t find out 
where that money was spent. And as far as I know until today, we 
don’t know where that money was spent. 

(The information follows:) 
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VA IT Expenditures 
Fiscal Years 1995 - 1999 


1 . At the request of the House Veterans Affairs Committee, VA undertook a 
review of the last five years to determine the amount of money spent on 
information technology (IT) during that period. 

2. Over the five year period, VA expended $4,457,378,000. These funds were 
spent over the period in the following manner: 

FY 1995 -$726,581,000 
FY 1996 -$854,537,000 
FY 1997 -$1,091,060,000 
FY 1998 - $874,200,000 
FY 1999 -$911,000,000 

3. As part of its oversight role as outlined in the Clinger-Cohen Act of 1996, the 
VA Chief Information Officer grants authority (in the form of IRM Approvals) to 
organizations to pursue acquisitions of IT when those acquisitions are valued at 
$250,000 or more. (Organizations can pursue smaller purchases on their own 
accord provided they follow procedures analogous to those of the VA CIO.) Over 
the period from FY 1995 until the end of FY 1999, the VA CIO granted IRM 
Approvals totaling $4,746,873,636. These authorities were granted as follows: 

FY 1995 -$339,463,546 
FY 1996 -$2,321,616,610 
FY 1997 - $1,007,329,907 
FY 1998 -$673,044,118 
FY 1999 -$405,419,455 

4. While it would seem IRM Approvals granted exceed the amount of funds 
actually reported to the Office of Management and Budget (OMB) as expended 
over the period (particularly in FY 1996), this is not the case as the result of two 
factors: 

a. IRM Approvals are frequently granted for projects whose funds are 
expended over multiple years, but are accounted for in the year the IRM 
Approval is granted. This has the effect of inflating the value of the grant year 
by adding future-year’s money to amount. Examples of these authorities are 
IRM Approvals granted for the purchase of medical center phone systems. 
These authorities last for the duration of phone system and include purchase, 
installation, and maintenance (over a several year period). 

b. Indefinite delivery, indefinite quantify contracts also require an IRM 
Approval authority prior to entering into those agreements: however, it is not 
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possible to know the full value of these vehicles in advance. An estimate of 
the total use of an IDIQ has to be provided to the VA CIO prior to the granting 
of an IRM Approval. IDIQs typically extend over many years. Thus, the multi- 
year situation of the previous paragraph is in play, but is compounded by the 
uncertainties of accurately valuing an IDIQ contract. During the five year 
period, there were three large IDIQ vehicles submitted for IRM Approval 
authority: 

[1] Procurement of Automated Information Resources Services (PAIRS)— 
which was eventually not executed— in FY 1996, valued at an estimated 
$875,000,000; 

[2] Procurement of Computer Hardware and Software (PCHS), also in FY 
1996, valued at an estimated $998,000,000; and 

[3] TeleChoice, in FY 1997, valued at an estimated $750,000,000. 

If these IDIQ requests are subtracted from all other IRM Approvals, the adjusted 
figures for the five-year period become; 

FY 1995 -$339,463,546 
FY 1996 -$448,616,610 
FY 1997 -$257,329,907 
FY 1998 -$673,044,118 
FY 1999 -$405,419,455 

5. Detail for each fiscal year follows on the subsequent pages. Each fiscal year 
contains: (a) Exhibit 43 or 53 (as appropriate); (b) the Acquisition Tracking 
System printout, showing IRM Approval processing, sorted by IRM Number; (c) 
the IRM Acquisition Tracking System printout, showing IRM Approval processing, 
sorted by submitting organization (in alphanumeric order of VA routing symbols 
or abbreviations). VA mail routing symbols were used to match IRM acquisition 
requests to organizations in several occurrences in the IRM Acquisition Tracking 
System. These routing symbols relate to VA organizations, as follows: 

(006E) - A component of the Office of Human Resources and 
Administration 

(026H) - A component of the Office of the General Counsel 
(045A2) - A component of the Office of Information and Technology, 

Office of Policy and Program Assistance 
(045B) - Office of Information and Technology, Office of 
Telecommunications 

(047) - Office of Financial Management, Office of Finance 
(047E) - A component of the Office of Financial Management, Office of 
Finance 

(08) - Office of Resolution Management 
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(104/00) - Office of Financial Maoiagement, Austin Finance Center 
(20(^00) - Office of Information and Technology, AusUn Automation 
Center 
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Mr. Everett. Finally, as we both pointed out, you’re retiring, 
and we certainly wish you well. Thirty years is a long time to stay 
in government service, and 17 of it at, as you point out, a very com- 
plicated, multilayered government agency like the VA. Would you 
feel free to share your thoughts about what you would do with the 
One VA IT issue? How you’d go about it? 

Mr. Gracey. Oh, I think you and Congresswoman Brown have 
both hit on a key aspect of it, which is to continue strong direction 
and leadership from the top of the organization. 

I guess the second aspect would be holding, not just the IT folks, 
but the line managers in the organization all responsible and ac- 
countable for contributing to the success of that. And Mr. Gober 
tells a story which he’s probably told to this Subcommittee of visit- 
ing a State early in his tenure where he had to introduce the direc- 
tor of the medical center to the director of the regional office. I 
know that to be a true story. And that’s a sad story. 

I would hope today after the five conferences there are none of 
those situations out there. But even if there aren’t, I’m sure there 
are ones where workers at one facility don’t understand the jobs of 
their friends and colleagues across town at the other facility. 

So it’s going to have to boil down from the top to the line man- 
agers at the facility level, or the VISN level or the SDN level and 
then to the workers. And the thing that is compelling for me is to 
look in the face of those folks trying to get service from us and 
know that’s what they want. They don’t want to come to a piece 
of the original and then have to go to another piece. They want to 
come to VA and get what they need from that one stop. And I can 
do that at my bank or my insurance company. I know with your 
business background, you know of lots of other places they can do 
that. That’s what we need to be able to give them at VA. They de- 
serve it. And it’s just going to take hard work, a push from the top, 
training, reorientation, rewarding the successes, and frankly, pun- 
ishing the failures, in order to keep people focused on what we’re 
about. 

Mr. Everett. I’m always very pleased to hear you say that, par- 
ticularly about punishing those who for whatever reason decide 
that they can’t go along in serving our veterans the way that they 
need to be served, just like you said, as a bank or any other busi- 
ness does. 

I do know that one of the problems that we really have is a cul- 
ture that exists in VA, in particular in VHA, and our directors at 
our institutions sa 3 dng that, you know, this is my little kingdom, 
and I’m going to run it the way I want to run it. That has been 
a tremendous problem for this Subcommittee. And the restraint 
that VA has used in dealing with those directors. 

Ms. Brown, do you have anything else? 

Ms. Brown. No, sir. Just once again, thank you. 

Mr. Gracey. Thank you. 

Mr. Everett. Well, again. I’d like to thank our witnesses for 
their testimony at today’s hearing. Certainly I believe the testi- 
mony by the GAO and IG representatives underscores the sub- 
committee’s concern that the VA has little to show taxpayers and 
veterans for the billions of dollars VA has invested in computers 



28 


and software. And we’re looking forward to the information that, 
Mr. Gracey will provide us for the record. 

(See p. 24.) 

Mr. Everett. While it’s difficult to quantify with precision, I be- 
lieve that VA has wasted hundreds of millions of dollars on the 
wrong systems and seemingly endless IT development projects. 
Program management has long been the Achilles’ heel of the VA 
IT program. If the VA can’t get its priorities straight, its IT per- 
formance is not going to improve. 

Critical reforms are being attempted with the department’s new 
capital investment process, but their success is uncertain. If the VA 
is truly to be one VA, it must develop an integrated system archi- 
tecture to allow seamless customer services for veterans. So far, it’s 
only been talk. 

I expect the VA to report to the subcommittee in 60 days what 
its plan is for an integrated systems architecture, along with the 
milestones for the completion. I know that the Deputy Secretary 
wants such a plan, and hopefully this Subcommittee can make 
that — move that along. 

I do believe the VA is on the mark in making computer security 
its priority. The recent virus attacks worldwide are sobering re- 
minders of what can happen to vital computer systems if security 
is not good. 

Again, I thank you for your testimony of all witnesses today, and 
this hearing is adjourned. 

[Whereupon, at 2:43 p.m., the subcommittee was adjourned.] 
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APPENDIX 


Prepared statement of Hon. Corrine Brown 

Mr, Chairman, information technology is complex, rapidly changing, and seems to 
require ever larger investments every year. We are attracted — sometimes even 
blinded — by its potential benefits. Unfortunately, at times, information technology 
evolves faster than agency cultures and management mindsets are able to adjust. 

This morning, we’ll hear the General Accounting Office and Inspector General tell 
about a decade of unfulfilled promises, missed deadlines, and wrong turns that have 
cost taxpayers millions of dollars. On a positive note, they also will report that the 
Department of Veterans Affairs is making limited progress and that there are glim- 
mers of hope for better results if their various recommendations are followed. 

The VA’s presentation — as you would expect — will be forward looking; telling us 
about their new organizational structures, planning systems, and initiatives. VA’s 
stated objective — like mine — is to find new ways of utilizing information technology 
as a tool to improve service to veterans. 

On January 1, 2000, VA proved that — with a little oversight incentive from this 
Subcommittee — it could meet difficult IT challenges successfully. I applaud VA’s 
Year 2000 rollover effort and its architect, Harold Gracey. A lot of valuable lessons 
were learned from VA’s Y2K preparation, and a major byproduct of success was pro- 
gram credibility. 

Because Mr. Gracey did such a fine job of guiding VA through the rollover, I was 
sorry to learn that he will be leaving at the end of this month. I wish him well. 
His leadership over the last 23 months as Acting Chief Information Officer has been 
recognized throughout the industry and has set a stable course for the Department. 
After many years of wrong turns and wasted efforts, Moses, too, could only see the 
Promised Land from the mountaintop and had to leave it to his successor to get his 
people there. 

Mr. Chairman, although I am concerned about the broad IT issues, like informa- 
tion security and integrated architecture, I also am encouraged with the positive di- 
rection of VA’s capital planning and investment process. My interest today, however, 
is in the details represented by projects like the data center consolidation and 
VETSNET. Responses to my questions about these details will give me a measure 
of VA’s current institutional culture and its decision-making process. 

The environment for 21St century IT decision-making is a dynamic one, with 
rapid ground shifts and large sea changes. How well VA officials are able to meet 
the management challenges of this new way of doing business can only be assessed 
over time. 

Today’s hearing is just the first in what promises to be a series of hearings ex- 
tending beyond the 106th Congress — no matter which party is in control. Mr. Chair- 
man, the future of veteran services delivery depends on how well VA responds to 
oversight inquiries like this. 

Prepared statement of Hon. Lane Evans, Ranking Democratic 
Member, Full Committee on Veterans’ Affairs 

Chairman Everett and Ranking Member Brown, I want to thank you both for 
holding this important hearing on information technology — VA’s primary hope for 
providing seamless services to America’s veterans. 

VA emerged as an industry leader in preparing for the Year 2000 rollover. The 
recent “Love Bug” experience, however, underscores the need for the Department to 
use the successful tact it took with Y2K to focus on information security — VA’s new 
number one priority. 

Mr. Chairman, of particular concern to me today is the timing of VA’s planned 
transfer of data processing functions from Hines to Austin and the risk such a 
transfer at this time would impose on recipients of VA monthly checks. 

Discussion and oversight of these and other issues involving VA’s expenditure of 
over $1 billion annually on information technology will prove to be of great benefit 
to us all. 

Thank you, Mr. Chairman. I look forward to the testimony this morning. 
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Mr. Chairman and Members of the Subcommittee: 

We appreciate the opportunity to participate in today's hearing on the 
Department of Veterans Affairs’ (VA) proposed $1.4 billion information 
technology (IT) program, and how VA is using IT to better serve our 
nation’s veterans. In July 1998 we reported' that VA had not fully 
implemented critical provisions of the Clinger-Cohen Act and related 
legislative IT reforms.^ We also made several recommendations for 
improving VA’s IT program. 

We will begin today by discussing VA’s efforts to address our 1998 
recommendations, especially those calling for institutionalizing a 
disciplined IT investment decision-making process, developing an overall 
business process improvement strategy to accomplish reengineering, and 
completing an integrated IT architecture." Next, as requested, we wU 
discuss the status of VA’s actions to develop and implement a Master 
Veteran Record; the Veterans Benefits Administration's (VBA) actions to 
modernize its information systems, also known as the Veterans Service 
Network, or VETSNET; and the Veterans Health Administration's (VHA) 
actions to implement its Decision Support System. Finally, we will discuss 
VA’s steps to improve computer security across the department. 

In brief, VA has made progress in addressing our 1 998 recommendations. 
For example, compared with its fiscal year 1999 IT investment review 
process, VA’s fiscal year 2001 process provided decisionmakers with more 
detailed information on proposed projects. However, the department has 
yet to fill the position of assistant secretary for information and 
technology, created in June 1998 and intended to seive as VA's chief 
information officer (CIO). It also has not developed an overall strategy for 
reengineering its business processes to effectively function as ‘One VA," a 
vision the department has articulated, nor has it defined the integrated IT 


' VA Infomimion Technology': hnproventenis Needed to lm$ilenieiii IjCgi&lative liefoms {<iAO/ 
AfMD-&8-liS4,.IuJy7. 1998). 

^The Clinger-l'ohen Act and related l«0slative t«forT>i.s — ti\e Paperwork Reduction Act of 1995 and the 
Federal Acquisition Streamlining Act of 1994 — provide Uireotion on Itow federal agencies should plan, 
manage, and acquire IT 

"An integrated IT art lutecture is a blueprint consisting of logica; and irchnJcal componenis to guide 
and constrain the develc^menc and evolution ofa collection of related systems At the logical level, the 
architecture provitles a high-level description of an organization s mission, the business functions 
being peifomu^d and the relationships among tite functions, the informatiun needed Uj perform the 
functions, and the Row of information among functions At the technic aj level, the architecture 
provides the rules and standards iteeded to ensure that Uie interrelated systems are built to t>e 
interoperable and maintainable. These irtclude specifications uf critical aspiects of component systems’ 
hardware, software, communications, data, securi^. and peifonnaiice characteristics 
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architecture needed to efficiently acquire and utilize Infomuition systems 
across VA. 

VA liicewise £ace$ challei^es in developing and un|dematitlng a Mast^ 
Veteran Record. VETSNET, and the Decision Supped System. Its Master 
Veteran Record prefect has not been impionented by VBA’s conq>ensation 
and pension service Um. although this project could help reduce 
overpaymetus through faster receipt of death notices. VBA’s VETSNET 
project has experienced many schedule debi^, aiKl the a^ncy has ncH 
established a completion date for It Finally, VHA’s Decision S^^)ort 
System, wlule completed, is not being fiilly used by the agency for the 
purposes intended, including budget formulation and resource allociuion. 

Bearding compiler security, VA has begun to address weaki^ses 
idemified by us and by its Office of the Inspector General (0!G). 
Nevertheless, it still needs to complete guidance on assessing the 
department's security risks and must develop appropriate policies and 
controls for accessing its computer systems. 


Background 


Ihe department's vision of "One VA" was articulated to assist it in carrying 
out its mission of providing beneHts and other services to veterans and 
cl^>erK^ts. This viacm stems from the recognition that veterans think of 
VA as a angle nuicy, but often encounter a confuat^ bureaucra^c maze 
of uncoordirtated programs — such as those handling benefits, health care, 
and burials — that puts them through repetitive and frustrating 
administrative procedures and delays. According to the department, the 
"One VA* visi<m describes how it will use informadion technology in 
versatile new ways to improve services and eitabic VA employees to help 
customers more quickly and effectively. 

To implement this vision and carry out other activities, VA plans to spend 
sdiout $1.4 billion of its proposed fiscal year 2001 budget of about $48 
billion on various IT initiatives. Of this $1.4 billion, about $763 million, $80 
million, and $400,000, are intended for VHA, VBA, and the National 
Cemetery Administration (NCA), respectively. The remaining $589 million 
is for VA-wide IT initiatives In the financial management, human 
resources, infrastructure, security, architecture, and planning areas. 

The Clinger-Cohen Act and other related legi^atlve reforms provide 
guidance on how agencies should plarr, manage, and acquire IT as part of 
their overall information resources management responsibilities. These 
reforms require agencies to appoint CIOs responsible for providing 
leadership in acquiring and managing IT resources. Th^ also require 
agencies to perform business proce^ reengineering prior to acquiring hew 
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IT and to complete an integrated architecture to guide and constrain 
future investments. 


VA Has Made 
Progress in 
Institutionalizing the 
IT Investment Process 


As shown in table 1, VA’s decision-making process for IT investments 
varies depending upon the proposed project’s cost, risk, and visibility. An 
IT project starts with a VA administration or office developing a project to 
addreffi business needs and preparing a formal prc^Kisal for review and 
approval. Then, projects with hi^ cost, risk, or visibility are assessed as 
part of VA's capital investment planning process, incluchng review by its 
Coital Investment Board (CIB). This board is composed of the deputy 
secretary, the assistant secretary for congressional affairs, the assistant 
secretary for infcxmation and technology, the general counsel, the 
assistant secretary for financial management, the assistant secretary for 
plaruung and analy^, and the undersecretaries for health, benefits, and 
memorial affairs. It reviews projects that exceed specific dollar thresholds 
or that are seen as high risk or high visibility. The dollar thresholds for 
VHA, VBA, NCA, and staff offices are acquisition costs of $10 million, 

$2 million, $1 million, and $1 million, respiectively, and/or life-cycle costs 
of $30 million, $6 million, $3 million, and $3 million, respectively. Lower 
cost projects are not reviewed by the CIB. Instead, they are decided upon 
and overseen by VA administrations/offices. Those projects over $250,000 
are also monitored by VA’s Office of Information and Technology (OI&T). 


The Clinger-Cohen Act requires agency heads to implem^t an approach 
for maximizing the value and assessii^ and numaging the risks of fT 
investments. It stipulates that this approach) sh<xild be integrated with the 
agency’s budget, financial, and program management processes. As 
detailed in our inve^ment guide, ^ an IT investment process is an 
integrated approach that provides for disciplined, d^-driven 
identification, selection, control, life-cycle management, and evaluation of 
IT investments. 


* Assessing Risks and RHwm: A Guide for Evaluating Federal Agencies' ITlnvestment Decision’ 
m«idng(GAO/AIMD-10-l-l3, February UI97). 
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Table 1 : Summary of VA Decision-making and Oversight by Type of IT 
Project 




Type of VA decision/oversight 


Type of IT project 

Select 

Approve 

Control 

Evaluate 

High cost/risk/visitnlity: 
Projects that meet 
dollar thresholds for 
review by CtB or are 
high hsk or high 
visibility 

Administration/ 

office 

VACIB 

VA OIST 
approval 

VA in-process 
reviews 

Execution 

reviews 

Internal 
reviews and 

OIG reports 

VA post- 

implementation 

reviews 

VA internal 
reviews and 

OIG reviews 

Medium cost 

Administration/ 

VA 01 &T 

VA OI&T 

VA internal 

Projects greater than 
$250,000 but less than 
the thresholds for 
review by CIB 

office 

approval* of 
procurements 

follow-up on 
approval* of 
procurements 

reviews and 

OIG reviews 

Low cost: 

Administration/ 

Administration/ 

Administration/ 

Administration/ 

Protects less than 
$250,000 

office 

office 

office 

office 


’Exceptions to the requirement for approval include items purchased under VA's 
departmeniwide procurement computer hardware and software contract and purchases of 
picture archiving and retrieval systems. 


Source: VA. 

As shown in figure 1, projects that require approval by the CIB are 
submitted by the applicable adn\inistration''ofnce to the department's CIO 
Council Investment Panel. This pajiel evaluates and ranks IT proposals for 
the CIO ('ouncil. Tlie councU then retiews the proposals and forwards 
selected ones to the Capital Investment Panel. Tliis panel ranks and scores 
both IT and non-IT projects and makes recommendations to the CIB. 
which then ntakes recommendations to the Secretary for inclusion in the 
department’s capital plan and annual budget request. 
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Figure 1 : VA'e investment Oeeision-making Process 



VA Administration/Office 


Although VA had established a detailed process for selecting, controlling, 
and evaluating IT inv^tments, discipline within the process was 
previously lacking. Specifically, we reported in July 1998^ that VA 
decisionr^ers did not have current and/or complete information — such 
as cost, benefit, schedule, risk, and performance data at the project level — 
with which to make sound investment decisions. In addition, VA's process 
for controlling and evaluating its investment portfolio was incomplete and, 
as a result, decisioiunakers did not have the information needed to detect 
or avoid problems early or to improve the VA investment process for the 
future. 

Accordingly, we made several recommendations to VA to improve its 
selection, control, and evaluation of IT investments. As discussed below, 
the department agreed to implement them. 


^GAO/AIMDJMUM. July 7. 1998. 
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VA Has Improved Its in response to our recommendation that it implement a disciplined 

Process for Selecting CIB- process for selecting IT investments in which decisions are based on 
Level Projects complete and current project data, VA now requires its 

administrations/ofRces to meet a more comprehensive and specific set of 
criteria. The selection criteria used during the fiscal years 2000 and 2001 
capital investment planning processes covered areas such as the proposed 
projects’ (1) impact on “One-VA” customer service, (2) return on taxpayer 
investment, (3) contribution to a high-performing workforce, (4) risks, and 
(5) comparison with alternatives. VA investment review panels*^ then 
screened proposals to ensure that they had adequate information. 

The proposals submitted for the fiscal years 2000 and 2001 reviews were 
much more complete than those submitted for the fiscal year 1999 
investment planning process. In fiscal year 19^, none of the seven 
proposals that we reviewed contained ail the required information, yet all 
were passed by the CIB. In fiscal year 2000, by contrast, all seven of the 
proposals that passed VA’s review had the required information, including 
cost-benefit an^ysis, risk tmalysis, and alternatives analysis. Similarly, in 
the fiscal year 2001 review, ail five proposals that passed VA’s review 
generally met the criteria. 


VA Has Improved Its 
Process for Monitx)ring and 
Managing CIB-Level 
Investments 


In our July 1998 report we stated that VA’s process for moiutoring and 
managing its investment portfolio was not timely and provided 
decisionmakers with little infomtation. We recommended that VA conduct 
formal in-process reviews at key milestones in a project ‘s life cycle and 
provide these results, along with results of periodic project status reviews, 
to those responsible for deciding whether to continue, accelerate, or 
terminate IT projects. 


VA agreed with this recommendation and has taken steps to implement it. 
For example, in response to our recommendation that in-process reviews 
be conducted at key milestones of a project’s life, VA recently changed its 
method for identifying projects for such reviews. In the past, in-process 
reviews were conducted in an ad hoc manner, such as when it became 
apparent that a project was behind schedule, over budget, or not 
performing as planned, or when oversight agencies raised questions. Now, 
the CIO Council plans to identify projects for review by VA OI&T based on 
the council’s assessment of the project. TIus assessment will take into 


®VA s ClOCouncil imeslnient Panel and Capital Ins-esonent Panel 
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VA Has Improved Its Post- 
Implementation Reviews 


consideration the results of execution reviews’ and input from project 
managers. These reviews focus on whether the project meets cost, 
schedule, and performance goals. 

Additionally, VA has made progress in responding to our recommendation 
that the results of in-process reviews be provided to decisionmakers. 
Specifically, the results of formal in-proce-ss reviews are given to 
decisionmakers along with the results of post-implementation reviews and 
audits of IT issues conducted by VA’s OIG. 

However, the in-process reviews may still not be timely. As of April 28, 
2000, VA OI&T has only completed five of the eight in-process reviews 
scheduled for fiscal year 1999. Without timely reviews, VA is limited in its 
ability to control approved projects. Accordingly, it is important that VA 
establishes and monitors deadlines for completing in-process reviews. 


As we have reported, VA’s post-implementation reviews had not contained 
an assessment of whether the implemented project achieved the estimated 
cost, schedule, or mission-related benefits.® Further, VA had not identified 
lessons learned that could be used to improv'e its investment process for 
selecting, controlling, and evaluating IT initiative.s. We recommended that 
VA initiate post-implementation reviews for IT projects within 12 months 
of implementation, to compare completed project cost, schedule, 
performance, and mission improvement outcomes with original estimates, 
and provide the results of these reviews to decisionmakers so that 
improvements can be made to VA’s IT process. 

VA concurred with our recommendation and has taken steps to improve 
its process. For example, in three of the four post -implementation reviews 
conducted in fiscal year 1999, actual and estimated costs, schedules, and 
mission-related benefits were compared. The remaining review did not 
include a comparison between actual and estimated costs, 

VA also now identifies lessons learned from its evaluation of completed 
projects, and documents them in the post-implementation review report. 
For example, among the lessons learned were the need to ensure that (1) a 
variety of users participate in the decision-making process on systems 
enhancements and/or user modifications and (2) user documentation is 


'These renews are conducted by the CIO Council Inwslmeni Panel ar<l fapiial Ins t-siment Panel to 
ntoniior aiul manaite projecu approved by tlw CIB 

*GAO/AIMl>-PlH->4.July7. IJKW. 
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readily available and updated regularly to reflect the latest systems 
changes. 

However, the lessons learned are provided only to the sponsoring VA 
organizatif>ns, and not to decisionmakers, such as the investment panel 
members, who could also benefit from them. Decisionmakers receive only 
a summary of the audit findings in post-implementation reviews; lessons 
learned are not part of that summary. To improve the department’s 
proce.ss for selecting, controlling, and evaluating IT investments, 
decisiomnakers should be provided with such lessons learned information 
so they can use it in making better-informed judgments about projects. 


IT Investment Process for 
Projects Below CIB-Level 
Is Not as Structured 


As previously discussed, IT procurements that are $250,000 and greater, 
but less than the thresholds for review by the CIS, must be approved by 
VA OI&T; procurements and IT projects that are less than $250,000 are 
reviewed at the administration/office level. The capital investment process 
used for these projects is less stnictured than the high-cost, high-visibility 
projects reviewed by the CIB.® 


To implement the approval process for projects above $250,000 and 
beneath the CIB thresholds, VA OI&T has issued guidance — IRM Planning 
and Acquisitions Handbook— to project sponsors, Spoiisors requesting 
approval must submit a package containing key information, such as a 
requirements analysis, benefit/cost analysis, and a minimum 10 percent 
return on investment. It has not yet issued written guidance for 
{ 1 ) monitoring and managing approved procurements or (2) evaluating 
completed projects. VA OI&T is now in the process of revising its 
handbook to address these areas. 


Guidance for IT projects costing up to $250,000 is partially complete, \^A 
has issued selection process giudance entitled Information Technology: 
Ir.vcstmcnt Board and Investment Evaluation Process that covers all IT 
projects, including those under $250,000. It requires each project sponsor 
to submit a package containing information such as the names of the team 
members, cost-effectiveness analysis, alternatives analysis, risk analysis, 
aitd performance measures. This infonnation is reviewed by VBA’s 
Infomtation Technology Investment Board. The board reviews the 
projx^sal for (1) consistency with and support of the VAA^A mission, 
goals, and objectives, along with technical and organizational feasibility, 


-'.Arrordin/! to VA. aboiit -$814 million of its $1 2 billion fiscal year IT investments were not subject 
io rvMi w l*> the CIB; ihesw were the most reci nlly available data 
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VA’s Progress in 
Addressing Other 
Clinger-Cohen Act 
Provisions Has Been 
Limited 

Limited Progress Made in 
Appointing Full-time CIOs 


aitd (2) completeness project pisn, cost-effectiveness analysis, and risk 
analysis. It then ranks the pitHi>o^ in terms of risk and return. VBA’s 
guidance tUso requires its Information Technology Investment Board to 
review ongoing projects. VBA has not issued written guidance fen* 
evaluating completed projects, but a VBA official told us that the agency is 
ui the process of developing such guidance. 

Lastly, VHA issued written guidance this past January for selecting IT 
investments for its Office o( Information, which maruiges VHA-wide 
projects. 11118 guidance requires project sponsors to submit cost-benefft 
analyses, altem^ves analyses, project schedules, and a discussion of 
funding sources. VHA offices in headquarters and the field have typically 
relied on group meetings and discussions to select IT initiatives. According 
to a director in the Office of Information, VHA is currently drafting 
guidance for selecting FT investments at its field offices. VHA does not 
have written guidance for monitoring and managing IT procuremmts nor 
does it have guidance for evaluating completed projects. VHA plans to 
develop such guidance, but it has not est^lished a date for when this will 
be c<»npleted. 


VA has made only limited progress in addressing other key issues, such as 
i^ipointing fiiU-time CIOs, developing a business process reengineering 
strategy, and developing an integrated IT architecture. These need to be 
addressed if the department is to effectively use IT to achieve its “One VA” 
vision. 


The CUnger-Ckrfien Act and the Paperwork Reduction Act direct the heads 
of federal agencies to appoint CIOs to (1) promote improvements in work 
processes used by the agencies to carry out their programs, (2) implement 
integrated, agencywide systems or technology architectures, and (3) help 
establish sound investment review processes to select, control, and 
evaluate IT spending. To help ensure that these responsibilities are 
effectively executed, the act requires that the CIO’s primary responsibility 
be related to information management. 

As we reported in July 1998, however, the responsibilities of VA's CIO 
were not limited to iitformation management. Specifically, the CIO 
served the department in a variety of top management positions, including 


‘*’GAO/AIMD^I&4.July7. 1996. 
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assistant secretary for management, chief financial officer, and deputy 
a^istant secretary for budget. We noted that in an agency as decentralized 
as VA, the CIO was faced with many significant information management 
responsibilities,** which constitute a fuil-time job for any CIO. 

Accordingly, we recommended that the Secretary of Veterans Affairs 
appoint a CIO with full-time responsibility for irtformation resources 
management alone. 

VA concurred with this recommendation aitd established the position of 
assistant secretary for information and tecfmology to serve as its CIO. 
However, this executive branch position has been ur\fiDed since its 
creation in June 1998. Accordin^y, the Secretary created the position of 
principal deputy assistant secretary for information and technology and 
designated that person as VA’s acting CIO until sn assistant secretary 
could be appointed. 'Hie Secretary also realigned information resources 
management functions within VA under this position. 

The principal deputy assistant secretary for information and technology 
has reported directly to the Secretary and is involved in IT plaiming issues 
across the department. He said that his responsibilities have included 
advising the Secretary on IT issues, serving as chair of tite department’s 
CIO Council and a member of VA’s CIB, and working with the CIOs in VBA 
and VHA, He sees his role as one of helping them use IT to support their 
administrations. According to this official, one of his priorities has been to 
ensure that IT activities in VBA and VHA are in concert with VA's 
departmentwide efforts. 

VA’s acting CIO recently announced, however, that he will be retiring from 
VA at the end of this month. As a result. VA will again be left without IT 
leadership, and the CIO position will have been vacant for almost 2 years. 

It is critical that this position be filled to provide the leadership to achieve 
the “One VA" vision through effective IT, 

In a separate yet somewhat similar situation, VHA has a CIO vacancy that 
was created when its previous CIO left the agency in October 1999. ’To 
address this situation, in November 1999 the acting undersecretary for 
health designated VTlA's chief facilities management officer as VliA’s 
acting CIO. This individual currently carries both responsibilities — for 
facilities and IT management. 


* ' At the Cmi-. iheso responsibilities iiu lwJt'd ensuring that ( I ) VA's sj-sterns dcvviopmenl prQiecfc; 
wnult! iK>t handtcajap^ t»y inconipieU? aR h}U-ciur<>s and ( 2 ) a sound information managnmctit 
invx-stnwni procfjK providing systematic, data-driven means of selecting, contrt>iiing, and 

<‘V3}untti^ IT }>roj(>rW would be iasUtutionsdized. 
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According to VHA’s Mating CIO, he devotes approximately 60 to 75 percent 
of his time to infortnalicm management activities. He acknowledged that 
he has no background in IT and relies on staff to provide expertise and 
guidance in this area. He said, however, that he does not think the 
allocaticm of his time or lack of bacl^ound is cause for concern, 
especially given his background in and knowledge of VHA His immediate 
focus, he said, is to bring about general management improvements in 
VHA’s Office of Information for such areas as the fiscal process, 
communications, and project management. 

We believe this dual re^>onsibility is contrary to good management 
practices, and that the VHA CIO should have information management as 
his primaiy focus. We have stressed the importance of this principle in 
testimony and in our February 1997 high-risk report, in which we 
emphasized that the CIO’s duties should be centered on strategic 
information management issues and not include other m^or 
responsibilities.’^ VHA is no exception: it needs a CIO focused on 
information management. 


VA No Longer Plans to 
Develop a 
Departmentwide 
Business Process 
Improvement Strategy 


The Clinger-C>ohen Act requires agency heads to analyze the missions of 
their agencies and, on the basis of this analysis, revise and improve the 
agency's mission-related and administrative processes before making 
significant investments in supporting IT. As our business process 
reengineering guide*^ makes clear, an agency should have an overall 
business process improvement strategy that provides a means to 
coordinate and integrate the various reengineering and improvement 
projects, set priorities, and make appropriate budget decisions. 


Our 1998 report noted that VA had not analyzed its business processes in 
terms of implementing its “One VA” vision. We also pointed out that VA did 
not have a departmentwide business process improvement strategy 
specifying whart reengineering and improvement projects were needed, 
how they were related, and how they were prioritized. At the time, VA 
concurred with our recommendation to develop such a strategy. 


’^Oov«mm«n< Kefoim: LegUmtion WovJd Strengthen Federal Management of InformatiMi and 
Technology (GAOn-AlMD^^iO&.Jtiiy 25, 199&). Managing Technology Best Practices Can Improve 
Performance and Produce Resulla{<iAOfr-AllAl>-97-3S,ian\iary 31, 1897), High-Risk Series: 
Information Managementmd Technolagy{GAOfl(R-97-9. Febniwy 1997), and Chief Information 
Officers: Ensuring Strong Leadership and an Effective Counc// (GAOrr-AIMD-98-22, October 27, 1997). 

’^Business Process Reettgineeting Assessment Guide (GAO/AIMD-IO.1.15. April 1997). 
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VA’s assistant secretary for policy and planning and principal deputy 
assistant secretaiy for information and technology have now, however, 
informed us that VA no longer plans to develop an unified, 
departmentwide business process improvement strategy. According to the 
assistant secretary, the department will, instead, rely on each of its 
administrations — VBA, VHA, and NCA — to reengineer its own business 
process. 

As we reported in 1998, an overall business process improvement strategy 
can provide the means to coordinate and integrate various reengineering 
and improvement projects, set priorities, and make appropriate budget 
decisions. Given the department's approach of delegating to its three 
m^or components reengineering of their own business processes, it is 
unclear how VA will be able to provide veterans with a unified view of VA 
services. Accordingly, VA should either reassess its “One VA” vision or, if it 
is committed to that vision, reassess its strategy given the inconsistency in 
its approach. 


VA Lacks an 
Integrated IT 
Architecture 


The Clinger-Cohen Act and Office of Management and Budget guidelines 
require agency CIOs to implement an architecture to provide a framework 
for evolving or maintaining existing IT and for acquiring new IT to achieve 
the agency’s strategic and IT goals. Leading organizations both in the 
private sector and in government use systems architectures to guide 
mission-critical ^sterns development and to ensure the appropriate 
integration of information systems through common standards.'^ 

A VA architecture team ccmsisting of representatives from VA 
administrations and offices issued a report to the VA CIO Council in May 
1997 adopting the National Institute of Standards and Technology (NIST) 
five*layer model for its depaitmentwide IT architecture. The five layers — 
business processes, information flows and relationships, applications 
processing, data descriptions, and technology — provide a framework for 
defining an IT architecture. 

However, as discussed in our 1998 report. VA and its components had yet 
to define a departmentwide, integrated architecture. Accordingly, we 
recommended that VA develop a detailed implementation plan with 
milestones for completing such an IT architecture. 


Execvlive Guide: Isnprming Mission Perfomancf Thruugh Stralegic tnfonnation ManagentenI and 
T^hnolog)'— Learning Fnm Leading Oganizations (GAOAlMD-94- 1 15, May 1994). 
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Although VA concurred with oui‘ recommendation, it did not develop a 
detailed implementation plan with milestones for completing the 
architecture. Instead, VA published a departmentwide technical 
architecture,*^ which includes a technical reference model and standards 
profile. This document describes only one element — the technology 
layer — of the full NIST model. VA has not yet documented the logical 
architecture showing the business processes, information flows and 
relationships, applications processing, and data description layers for the 
entire departmem. 

VA’s principal deputy assistant secretary for information technology said 
that in order to develop the logical architecture, the business owners 
would have to be involved. However, he has no plans to bring them 
together to begin this process. He believes, instead, that their individual 
business process reengineering initiatives will eventually result in 
development of these areas, although he did not explain how this would 
happen without guidance from VA. We believe that it is important for V'A’s 
CIO or designee to take the leadership role and work with the business 
owners to develop the logical architecture so that the department can 
produce an integrated IT architecture. 

At the component agency level, neither VBA nor VHA has fully defined and 
document^ their current IT architectures. VBA’s new CIO recently stated 
that plans to hire a contractor to document the architecture are now on 
hold until completion of a new information systems strategic plan. This 
individual stated that the IT architecture would be made part of the plan. 
Regarding VHA’s architecture, our analysis of its most recent document, IT 
Architecture — Fiscal Year 1999 Plan, shows that it also lacks key layers of 
the NIST model. It contains information on VHA’s business processes and 
the technology infrastructure, but details on the information flows and 
relationships, applications processing, and data description layers are 
missing- VHA’s IT architect said that VHA recognizes that it needs to 
complete these other layers of the architecture but does not have an 
estimate of when this will happen. 


VA Faces Challenges 
on Three IT Projects 


As you requested, we will now discuss the status of VA’s efforts to develop 
and implement three IT projects— VA’s Master Veteran Record (MVR); 
V'BA’s actions to modernize its information systems, also known as 
VETSNET; and VHA’s Decision Support System. Each of these projects is 


^''VA Technicai Archilerture: Te<hnical Reference Model and Suutdards f‘tx>rite, May 1999 
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at a different stage of development and implementation, but they all face 
challenges ahead. 


MVR — master veteran record — is a messaging system that notifies VA 
components and offices of changes in common veteran data, such as name 
and address. Its development began in 1994 and was scheduled to be 
implemented across VA by 1998, at a cost of about $8 million. MVR was 
expected to unify VA services through information-sharing among its 
admirustrations/offices, improved data integrity and customer service 
through access to the most current information, and reduced 
overpayments through more current death notifications. VA further hoped 
that as veterans received quicker responses and more complete service, 
their confidence in VA would increase. 

According to VA’s principal deputy assistant secretary for information and 
technology, the MVR project was completed in 1999. The project director 
told us that MVR’s life-cycle cost was about $4 million. M\T? has enabled 
the transmission of messages across VHA, NCA, and VA .staff offices. As 
anticipated, these messages include veteran status changes such as 
addresses and death notifications, which can be reported to any VA office 
with the expectation that all benefits programs operations will be 
informed of the new information. According to VA, MVR has begun to 
produce some of the benefits expected. For example. VHA medical centers 
can now be notified more quickly of changes in veleratis' benefits status 
that affect hospital eligibility. However, VA is »jnable to quantify the 
benefits attributable to MVR. 

Although VA considers MVR to be completed, one VA administration — 
VBA — is not yet fully linked to the system. In particular, V^A’s largest 
.service line, compensation and pension, does not yet have a gateway to 
receive MVR information, such as address changes and death notifications, 
from other systems. VBA initially stated that funding and policy issues had 
to be resolved before MVR could be implemented, yet it planned to 
develop the gateway needed for its compensation and pension benefits 
payments system to become fully linked to M\Ti by December 1999. VBA 
did not, however, meet this deadline due to a departmental request that it 
study the feasibility of using an existing interface between VBA and NCA 
to access MVR. As of April 28, 2000, VBA still had not awarded a contract 
to complete this study and develop the MVR gateway. 

According to VA’s MVR director, the delay in VBA’s compensation and 
pension service line fully linking to MVR has not significantly affected the 
department’s ability to realize benefits. While unable to quantify benefits 


MVR Has Not Been 
Completely Implemented 
Within VBA 
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VETSNET Has 
Experienced Schedule 
Delays 


for the program, he said that MVR is paying for itself today as VHA uses 
the system for its enrollment program, specifically to determine veterans’ 
eligibility for medical care benefits. 

Notwithstanding these enrollment related benefits, the potential additional 
benefits of MVR could be significant if VBA's compensation and pension 
service line was linked to it In particular, early death notifications via 
MVR could help minimize compensation and pension overpayments to 
veterans who had died. According to a December 1996 report by VA’s OIG 
on compensation and pension overpayments, 20 percent of overpayments 
went to veterans who had already died.*® These overpayments increase the 
amount of debt or accounts receivable that VBA must subsequently 
attempt to collect Pull linkage to MVR could provide compensation and 
pension personnel with notices of death sooner, and thereby help 
minimize such overpayments. 


The second project that we were asked to address is VETSNET. This 
project refers to a strategy VBA initiated to replace its existing old, high- 
maintenance payments sy^ms with newer, lower maintenance systems 
that would provide a rich data source for answering questions about 
veterans’ benefits. VBA also expected VETSNET to provide faster 
processing of benefits. 

Two m^or projects initiated under VETSNET were compensation and 
pension (C&P) replacement and education redesign. The C&P project was 
intended to replace VBA’s existing legacy compensation and pension 
payment systems with one new, state-of-the-art system. This project, 
which began in April 1996, had an estimated cost of $8 million and was 
scheduled for completion in May 1998. The education redesign project was 
intended to replace each of VBA’s four education payment systems.*® This 
project, which began in January 1997, had an estimated cost of $9 million 
and was scheduled for completion in December 1998. 


’®Thi* OIG samplwl 324 ov^^rpaynx^nti: and found that of ov«*r^)a>Tnenli toialmg $1S0,26) wciv 

issued to veterans who had already died. 

’ 'Prom fiscal year 1986 through fiscal year 19ft-*>. VBA reponedly sitent at least -$284 million 
modemizinK its systems including replacing its uld computer terminals with personal coiniiuiers and 
developing software applications to assist staff in claims processing 

*®V'BA’s four educatio.i payment systems are chapter .10, chapter -12. chainerlii, and chapter 1600 
liach of these is named for the statute that provides ilw S|)ecifiC education U iiefil For exanipk , 
chapter 30 provides benefits to active duly servit'emen. and chafiu-r icaxi is for reservisUv 
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Neither of the^ two mjyor projects has yet been completed. The C&P 
replacement project missed several key milestones, including its May 1998 
completion date and a revised completion date of December 1998. VBA 
currently has no expected completion date for this project. The education 
redesign project was terminated without a product in November 1997, and 
\TBA has not established a date for when this project will be restarted. To 
date, at least $11.5 million has reportedly been spent on the VETSNET 
C&P replacement project and about $8 million on the education redesign 
project, with no measurable improvement in service to veterans. 

We and others have previously reported on problems that VBA has had In 
completing the VTTTSNET C&P and education redesign projects."'^^ One key 
reason for these problems is the lack of an integrated architecture defining 
the business processes, ird’ormation flows and relationships^ business 
requirements, and data descriptions. For example, the C&P project was 
begun before VBA had fully developed and validated its business 
requirements on what the new system was supposed to do. Project delays 
subsequently resulted because of confusion over the specific requirements 
to be developed. At the same time, the contractor for the education 
redesi^ project cited problems with the constant redefining of the 
computer hardware and software to be used. 

Another key reason for its problems with the VETSNET projects is VBA’s 
immature .software development capability. In 1996 we reported and 
testified-’ that VBA’s software development capability was ad hoc and 
chaotic— the lowest level of software development capability. More 
specifically, at this level, VBA could not reliably develop and maintain 
high-quality software on any m^or project within cost and schedule 
constraints. Reviews by us and VA illustrated that these projects had 
difficulties meeting deadlines and that not ail critical systems dev^elopment 
areas were adequately addre.ssed. For example, in our May 1997 report, we 


”'Siiui' l!HR> VBA lias n‘|Kinf<lly sf^-nt at loa^i SlOU miMitm <m VETrSNETamlt'ihpr ri'lal**!! jimjc'cis. 
siK-h as the Usaii S<‘rv1(-fs and riaints, Exfs'r.dcd Lcnd«>r iiultfx. Loan Procc-ssiiij?. and ihi' Automuti'd 
Aprnusa) Assigimic-ni (n-rwif.-d Va Assifintiicni Sralvtit) xyst»'!«s. 

^'Vt’i/'mnsPcrK'fitsModemiisttnn ManugMocnt and Tcciwk-^t Wt'aknesscs Bt- CH-ftroiw if 
^fi•uI^•nuza(itJn June iV, Jjtftfi), VpffTans liojycftts Compuirr 

Systeim lUsks ol'i'BAs i.-ar JOQa {>roenu;i (GA(VAlMl) S>T-7i<, May m i&PT). :tnd VFTSSKTijtm.'rvrly 
< Jffirt- t>f tnrunnaiirrti ManaKcnioM, of Vi-tcrans.AfTairs, .March Iffiti. 

-^Sifftwan-CiipahilHy Eialiiatiitn I'Vs.Srtflna/e Deiclupnicnf PttKt‘ss is hnnianvp (CrAO/AlMD-^ilj-fK', 
-luin Hi. HtJm ) an<l U.AO'T AI.MI^Sfi-KW, Jun.- Hi, H*Wi 
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noted that both the C&P replacement and education redesign projects had 
missed deadlines and had schedule delays.'^ 

VBA officials acknowledge these problems and have informed us that 
efforts are underway to address them. As we have previously 
recommended, it is critical that VBA establish a complete, integrated 
systems architecture and improve its software development capability if it 
is to avoid problems like these in the future. 


VHA’s DSS Has Been 
Implemented, but System 
Usage Varies 


VHA’s decision support system — DSS— is an executive information system 
that can provide VHA managers and clinicians with data on patterns of 
patient care and patient health outcomes, as well as the capability to 
analyze resource utilization and the cost of providing health care services. 
VHA intends to use DSS to (1) prepare budgets for its medical centers, 

(2) allocate resources based on performance and workload, (3) generate 
productivity analyses and patient-specific costs, (4) support continual 
quality improvement initiatives, (5) measiure outcomes-based performance 
and effectiveness of health care delivery processes, and (6) improve 
efficiency of care processes through the use of clinical practice guidelines. 


VHA planned to implement DSS at all of its medical centers— currently 
143 — from 1994 thiough 1997 at an estimated cost of $132 million, 
Beginning in May 1994, VHA implemented DSS in its medical centers in six 
separate implementation efforts. It had been implemented at all VA 
medical centers by the end of October 1998. The total estimated cost 
through fiscal year 1999 to develop and operate DSS was reportedly at 
least $2 13 million.^ VHA expects to spend about $48 million to operate 
DSS this year. 


Although VHA could not quantify the benefits derived from the use of DSS, 
to date at least 44 VHA medical centers and selected Veterans Integrated 
Service Networks CVISN)^^ have cited benefits attributable to DSS, 
including cost reductions and improved clinical processes. For example, 
VISN 9 determined that integrating services between its Nashville and 
Murfreesboro (Tennessee) medical centers could result in projected 


^■^GAO/AIMD-97 79. May .10. 1997 

amount includes Lh<> cost of studying, developing, and iniplenienting DSS It covers Uie period 
from fisoal years 1992 through 1999. 

^■*V11A is composed of22\TSNs. which are regioiuil organizations Ptiionipassing medical renters, 
nursing liomes. and doinicihahcs. 


Page 17 


GAOrr-AIMD-00-74 



48 


savings of $5.8 million.® in another e3cample, the clinical practice of 
routinely ordering two units of pre-surgery autologous® blood for total 
knee replacement was ch^ged, at the Portland (Oregon) VA medical 
center, resulting in estimated savings of $ 600 + per case. 

However, none of the medical centers and VISNs we contacted use DSS 
for all of the purposes for which VflA intended. For example, of the 20 
VISNs we contacted — representing 126 medical centers — only 3 VISNs — 
representing 14 medical centers~-use DSS for budget formulation and 
resource allocation, according to DSS staff. Instead, they tend to use the 
cc«t distribution report^^ for budget formulation and the Veterans 
Equitable Resource Allocation model® for resource allocation. Only one 
V3SN has begun to use DSS to measure outcomes-based performance and 
effectiveness of health care delivery processes. 

A variety of reasons were given for why more medical centers and VISNs 
have not made greater use of DSS. First, .some medical centers have been 
reluctant to use DSS because of concerns about the accuracy and 
completeness of its data. Work performed by us, VA's OIG, and the 
Stewing Committee has raised similar concerns.® Second, VHA fiscal 
officials that we interviewed told us that medical centers need about 2 
years of DSS data before the system can be used for budget formulation 
and resource allocation. It was not until last October that the 52 medical 
centers in the final round of DSS implementation had accumulated 2 years 
of data. 


®V1SN 9 has medical centeis in Hunciiicton, West Vir^lru;i: Leidnjtton and Louisville, Kenluckyi and 
Memphis. Mountain Home. Murfreesboro, and Nashville, Tennessee 

^AttioloRote (a patient s own) blood is provided by the patient in advance of surgery. 

‘'“The cost disirtbutlon report is iitriied to infonnailon on where the cost is expended: fur example, a 
medical bed for an in-patieni and a clinical sto)> tmmping for an ouinaUent. In contrast, !)SS provides 
cost information that shows where Uw services were provided and aL tual resources consumetl by 
patient and by rare encounter 

®n»is model wait adr^ted to cnsuiv an etttsiaUe disuilxitjon of funds to VISNs rather than simply 
beinf! based on historic funding patterns. It provides \TSNs with national workload prices for three 
types of pabents. In fiscal year 1999. VISNs received S6G for a ba»c sit^Ie outpatient visit, $12,857 for 
basic vested care patients (tiiuse with routine health care needs), and $;?fi,855 for complex care 
pabenis (those with rompicx/cltronic health care iteeiis), 

HralthCarc Delivery Top Manafiement leiKk-rslvpCrifirailoStK-cessofDccBaonSupiton 
f>yarem(GAO'AlMI>.9>ire. September 29. 1995), AuHit of Vetenuts Health Adminisirsuion Decision 
Suf^>on Syfilpm .Stanefardizafion (Report No. 9R4-A19-075. March ;U. 1998), DSS Stwring Committee 
Report. May 14. 1888. 
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Third, DSS usage may have been hampered by iiisuffu ient staff, staff witlt 
inadequate skills, and staff turnover. For example, according to a post- 
implementation review performed by VA’s IRM Policy and Standards 
Servi<*e, over 70 percent of the medical centers had not followed staffing 
guidebnes recommended by VHA’s Implementation and Training Service. 
TTie review further stated that in some of these medical centers, the DSS 
teams were understaffed by as much as 50 percent, \llA's previous deputy 
director for technical implementation also told us that some medical 
center directors assigned personnel with inadequate skills. Additionally, 
several VISN DSS coordinators said that they have had difficulty retairung 
well-trained DSS personnel. 

We have discussed these concents with \TiA officials and they generally 
concur with them. According to these officials, efforts are underway to 
address these problems and corrective actions are expected to be 
completed by 2002. It is critical that VHA follow thj ough in addressing 
these problems if it is to achieve the benefits intended from the hundreds 
of millions of dollars spent to date on DSS. 


VA Has Begun to 
Address Computer 
Security Challenges 


The last area we were asked to discuss is computer security — critical to 
VA’s ability to safeguard its assets, maintain the confidentiality of sensitive 
information, and ensure the reliability of its financial data. If effective 
computer security practices are not in place, .seasitive information 
contained in VA’s systems is at risk of inadvertent or deliberate misuse, 
fraud, improper disclosure, or destruction — possibly occurring without 
detection. 

In September 1998 we reported that VA’s lack of effective information 
system controls placed critical depailment operatioas — such as financial 
management, health care delivery, benefiL*! payments, and other 
operations — at risk of misuse and disruption.-^’ A key reason for these 
continuing information systems control problems was that the department 
did not have a comprehensive computer security planning and 
management program. Accordingly, we recommended that the Secretary 
develop and implement such a departmentwide program, and work with 
the \^A and \TIA CIOs and facility directors to implement appropriate 
security measures and controls in i^oncy facilities. VA rec ognized the 
significance of these problems and reported information systems security 


'^’infonuaiiun Syslcnts- VA Compiler Control Woskm-sses lncr*‘ns<- Risk ol'Fr/nitl. Misuse, and 
Itnpri^r l)i!u. losure (GAO/AIMn-98- 1 75. Sopi<*n>tK.T i'i. 1 998 i 
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as a material weakness in its Federal Managers’ Flimncia! Integrity Act 
reports for 19^ and 1999. 

To address our recommendation to develop a comprehensive computer 
security pluming and management program, VA established a centraUy 
managed security group in February 1999 and an information security 
workir^ group in March 1999. Since then, VA has (1) developed a 
departmentwide plan to improve information systems security throughout 
the department, (2) established a departmentwide computer security 
planning and management program, and (3) initiated a program to 
increase computer security awarene^ across its administrations and 
offices. VA is now developing a risk-based framework for addre^ing 
information security issues. 

In addition, VA organizatior\5 have independently imtiated actions to 
improve certain aspects of their computer security programs. For 
example, as we reported in October 1999.^* the Austin Automation Center 
corrected most of the computer security issues we identified in 1998. 
Specifically, the center reduced the number of users with access to the 
computer room; restricted access to certain sensitive libraries, audit 
information, and utilities; improved identification and password 
management controls; developed a formal software change control 
process; and expanded tests of its disaster recovery plan. 

In contrast, the VBA benefits delivery centers are still in the process of 
correcting most of the weaknesses we reported in 1998. For example, 
information security reviews performed by VA’s OIG in 1999 found that 
only one of seven weaknesses we found had been corrected at the 
Philadelphia benefits delivery center and that five of seven weaknesses 
had not been fully addressed by the Hines, Illinois, benefits delivery 
center. 

In addition, audits by us as well as by VA’s GIG continue to find serious 
problems related to the department’s control and oversi^t of access to its 
computer systems at VA facilities such as the Philadelphia Insurance 
Center, and the Hines (Illinois) and Philadelphia benefits delivery 
centers.-^ For example, VA still has not adequately limited the access 
granted to authorized users, appropriately segregated incompatible duties 
among computer personnel, adequately managed user identifications and 


Systems The Status of Computer SfTurity af the Department of Veterans Affairs 
{GAO/AlMlMK>-5, Oclober 4. 1999; 

■®GAO/AIMrW)a5. Oclobir 4. 1999 
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passwords, or routinely monitored access activity. We made several 
i^commendations to address these problems. 


In summary, VA has improved its process for selecting, controlling, and 
evaluating IT investments for C3B-level projects since 1998. However, VA 
has yet to fill its full-time department CIO vacancy since its creation 
almost 2 years ago. Further, VA may encounter serious problems achieving 
its “One VA" vision until it develops an overall business process 
imi^ovemenl strategy and a departmentwide, integrated IT architecture. 
F\iU implmentation of our recommendations in these areas is essential to 
VA’s achieving its “One VA” vision. In addition, top management support 
and commitment are essential to addressing the challenges VA faces in (1) 
completing implementation of MVR, (2) addressing technical problems in 
developing VETSNET, and (3) making greater use of DSS. Improving VA's 
computer security will also take sustained leadership and commitment to 
develop and implement a comprehensive security planning and 
management program over the next few years. 

We performed this assi^rment in accordance with generally accepted 
government audiUng standards, from July 1999 through April 2000. In 
canying out this assignment, we reviewed and anal>’zed VA’s IT 
investment process policies and compared these witii applicable guidance 
in this area. We also analyzed the results of IT investments conducted by 
the CIB, VA OI&T, and VA componenis/offices. In particular, we reviewed 
17 IT proposals submitted as part of the department’s fiscal year 2000 
investment planning process and 12 IT proposals submitted as part of the 
fiscal year 2001 process. We reviewed VA's directives regarding the 
responsibilities of the CIO and reviewtjd and analyzed VA, VBA, and VHA 
IT architecture documents, comparing these to NIST’s five-layer standard, 
the guidance used by VA. For the M\'R, VETSNET, and DSS projects, we 
reviewed and analyzed costs, schedules, and status updates. In the area of 
computer security, we reviewed otir recent reports and VA updates on 
actions taken to address our recommendations. 

Mr. Chairman, this concludes my statement. I would be pleased to respond 
to any questions that you or other members of the Subcommittee may 
have at this time. 
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VA’S INFORMATION TECHNOLOGY PROGRAM 
TESTIMONY OF 

RICHARD J. GRIFFIN, INSPECTOR GENERAL 
DEPARTMENT OF VETERANS AFFAIRS 

HOUSE COMMITTEE ON VETERANS’ AFFAIRS 
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS 

(May 11,2000) 

Mr. Chairman and Members of the Subcommittee, I am pleased to be here today to 
comment on the Department of Veterans Affairs (VA) Information Technology (IT) 
program. During the last several years, the Office of Inspector General (OIG) has 
reviewed selected VA IT system development initiatives, procurements, and capital asset 
acquisition practices that identified opportunities where the Department could enhance its 
IT investment efforts. Our IT review efforts have also focused on Department 
information system security controls. 

As outlined in the Clinger-Cohen Act of 1996, Federal agencies are now required to 
focus more on the results achieved through IT investment while streamlining the Federal 
IT procurement process. The Act requires agency heads to design and develop a process 
for maximizing the value and assessing and managing the risk of an agency’s IT 
acquisitions. While the Department is taking certain positive actions to comply with the 
Act, our audits have found that the Department needs to more fully assure that IT 
resources are effectively used and user IT needs are efficiently met. Effective 
management and oversight of VA’s IT investment is important given the significant 
annual investment of over $1 billion in IT by the Department. 

The OIG has been involved with review and oversight of Department IT program 
initiatives since 1995. These reviews have included IT system developments, 
procurement of Department-wide telecommunications support, initial efforts by the 
Department to address the requirements of the Clinger-Cohen Act that include IT capital 
investment initiatives, and information system security controls. In addition to these 
efforts, we review the IT acquisitions process followed by local VA Medical Centers 
(VAMC) as part of our Combined Assessment Program (CAP). This review effort is 
being completed in response to a request from VA’s Principal Deputy Assistant Secretary 
for Information and Technology, to determine if any field activities may be acquiring IT 
(services and equipment) without following appropriate Departmental procedures for 
approval. 

IT System Developments 

Our review efforts have identified opportunities for enhancements in key VA system 
developments involving Electronic Data Interchange (EDI), human resources and payroll, 
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and a raanagement information system to support delivery of health care to veterans. Our 
review efforts included: 

1995 Evaluation of Electronic Data Interchange tEDll Implementation in VA 

In 1995, the OIG evaluated VA’s EDI implementation efforts and focused on current EDI 
implementation initiatives in the acquisition and finance program areas and future 
Departmental expansion opportunities. VA estimated that efficiencies of S499 million 
over a 5-year period could be achieved by replacing commonly used business documents 
with their electronic equivalents. At the time of the audit, the Department was in the 
initial stages of EDI implementation and we provided an early assessment of 
implementation and identified opportunities to enhance VA’s efforts. We found that 
attention needed to be focused on assessing implementation results, identifying impact on 
program operations, and preparing a strategic marketing plan to facilitate and encourage 
the significant expansion opportunities that potentially could be achieved. In response to 
the audit recommendations, the Department’s implementation efforts have been 
significant with expansion of the EDI operating environment from a relatively small 
number of trading partners and associated transactions to over 1,700 trading partners and 
1,8 million aimual procurement transactions valued at over $3 billion. 

1997 Evaluation of the Design and Implementation of PAY-VA (Now called HR LINKS'! 

In 1997, the OIG provided an early assessment of VA’s design, development, and 
implementation process for the new HR LINKS system that is expected to streamline 
VA’s human resource and payroll functions. The Department was in the initial stages of 
the system development initiative. We found that project managers had established 
management control over the multi-faceted details this system development effort 
entailed, and user involvement was significant. However, we identified opportunities to 
enhance HR LINKS implementation efforts concerning project documentation and 
workplans, cost information, contract deliverables, system security, correction of 
identified material weaknesses, training, and Contracting Officer’s Technical 
Representative (COTR) duties. 

1999 Audit _of Veterans Health Administration (VHAI Decision Support System (DSS) 
Standardization 

In 1999, the OIG reviewed the implementation of a new management information system 
intended to aid clinicians, managers, and executives in making decisions affecting the 
delivery of health care. This audit was requested by the Under Secretary for Health to 
determine if implementation of DSS was sufficiently standardized to ensure the 
usefulness of DSS data. DSS represents VHA’s first automated managerial cost 
accounting system for the delivery of medical care that will provide VHA managers with 
cost and clinical information for consideration when making clinical decisions, managing 
workload, and controlling medical costs. Our audit found that the potential usefulness of 
DSS and its data was being compromised because some VAMC staff had diverged from 
the system’s basic structural standard. Where such divergence had been detected, it 
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prevented data from these VAMCs being accurately aggregated along with data from 
other facilities that did adhere to the structural standard. In order that DSS can achieve 
its full potential, the Department needs to ensure adherence with the standard DSS 
structure. We estimate that, through September 1998, DSS represented an investment of 
about $140 million for VHA. 

Procurement and IT Capital Investment Initiatives 

Our review efforts have identified opportunities for VA to enhance the efficiency and 
effectiveness of IT contracting initiatives and assure that the Department’s IT capital 
investment process addresses the requirements of the Clinger-Cohen Act. Our review 
efforts included: 

1998 Audit of VA Procurement Initiatives for Computer Hardware. Software, and 
Services tPCHS/PAIRSl and Selected Information Technology Investments 

In 1998, the OIG reviewed VA’s acquisition initiatives for procurement of computer 
hardware and software (PCHS) and the procurement of automated information resources 
solutions (PAIRS). These acquisition initiatives were to be the principle nationwide, 
non-mandatory sources for acquiring IT equipment and services for VA. Our review 
found that acquisition risks associated with the PCHS procurement had been effectively 
addressed by VA’s procurement planning actions. We also identified opportunities for 
VA to enhance its IT contracting initiatives aiTd help address and meet IT performance 
expectations included in the Clinger-Cohen Act. Key issue areas requiring VA action 
included: (1) use of national contracts, (2) Veterans Health Administration’s major IT 
initiative for clinical workstation replacements (capital investment valued between $700 
to $800 million), (3) IT performance expectations (audit found that VA needed to reduce 
IT costs by $22 million a year and by $101 million over 5 yearsj, (4) IT hardware 
requirements (audit found that VA could potentially spend an additional $36 million for 
its replacement of dumb terminals with unnecessary upgraded equipment), (5) plaiming 
PAIRS procurement strategy, and (6) COTR training. 

At the time of the audit, the Department was in the initial stages of taking actions to 
comply with the Clinger-Cohen Act. Since then, VA has developed a Department IT 
Portfolio, which contains a ranking of VA IT investments and a performance 
measurement/performance management strategy. VA has also developed an IT strategic 
planning process which includes an investment decision framework. 

1998 Evaluation of VA Capital Programming Practices and Initiatives 

In 1998, the OIG evaluated VA’s capital asset acquisition practices and efforts to 
implement a capital programming process. VA capital assets include land, structures, 
equipment, and IT hardware and software. We found that VA was making progress 
toward a comprehensive capital program for managing its capital investments, but 
additional policy was needed for VHA’s Veterans Integrated Service Network-level 
investments, and alternative capital funding strategies should be explored. Our 
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evaluation found that VA’s capital investment initiatives for IT had made more progress 
than initiatives for other types of assets. VA was in the process of revising policies to 
meet the requirements of the Clinger-Cohen Act and related Office of Management and 
Budget initiatives. A significant accomplishment was the September 1997 VA Directive 
6000, VA Information Resources Management Framework , that established an IT 
management framework and defined the responsibilities for planning, budgeting, 
procurement, and management in-use of IT assets. 

1999 Audit of Procurement Initiatives for VA’s Integrated Data Communications Utility 
flDCUI Telecommunications Support 

The 1999 OIG audit examined the 10-year old contract and planned replacement efforts 
for VA’s IDCU telecommunications support for network interface facilities. The IDCU 
is a Department-wide data communications network enabling VA users to connect from 
one automated system to another and to access various databases. 

The audit found that the Department took positive steps to transition to a new wide area 
network (WAN) contract, but issues were identified in the old IDCU contract that 
adversely impacted VA operations and costs. The IDCU system and contract were no 
longer meeting VA’s telecommunication requirements effectively or efficiently. Key 
audit finding areas included: (1) contract modifications totaling SI 42 million were not 
supported with adequate documentation to explain why the contract increases were fair 
and reasonable; (2) VA spent approximately $3.1 million leasing and maintaining an 
excessive number of unused ports over the life of the contract; (3) VA needs to recover 
over $1 million in payments to the contractor for the Performance Management System 
that was not accepted; (4) VA saved $944,891 by terminating the acquisition support 
contract in response to our audit results; and, (5) VA could save an estimated $60,000 if 
consultant services were acquired through competitive means. We also advised the 
Department that it needed to conduct a formal risk assessment to adequately assess, 
manage, and mitigate the levels of risk associated with transitioning to a new WAN 
solution. In addition, we identified some key business decisions made by the contracting 
officer at the time the contract was awarded that negatively impacted VA’s ability to 
effectively administer this contract over its 10-year life cycle. 

Combined Assessment Program (CAPl Reviews of Facility IT Acquisitions 

In response to a November 3, 1999 memorandum from the Principal Deputy Assistant 
Secretary for Information and Technology, we agreed to include a review of the IT 
acquisition process as part of our regularly scheduled CAP reviews (30-35 reviews are 
planned annually). Our CAP reviews provide an independent and objective assessment 
of key operations and programs at VAMCs on a cyclical basis. The Principal Deputy 
Assistant Secretary wanted us to determine if any field activities may be acquiring IT 
(services and equipment) without following appropriate Department procedures for 
approval. So far, our review of IT acquisitions at VAMCs Dublin, GA, Biloxi, MS, and 
Denver, CO did not identify any problems in this area. 
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Information System Security Controls 

Our review efforts over the last several years have identified Department-wide 
weaknesses in information system security that continue to make VA’s program and 
financial data vulnerable to error and fraud. These system security weaknesses are so 
serious that the Department has designated the information security area as a material 
weakness under the Federal Manager’s Financial Integrity Act. Our review efforts 
included: 

1995 Audit of Security at the Central Office Automation Center 

The audit found a need for improvement in physical and electronic access controls over 
equipment, sensitive data, and critical applications maintained by the Center. Security 
control weaknesses left the Center systems vulnerable to unauthorized access, 
inappropriate disclosure, and destruction of data. 

1996 Audit of Security Controls at the Austin Automation Center 

The audit found that VA needed to strengthen security controls to ensure that Center 
operations were adequately protected. A number of key security enhancement 
opportunities were identified that could help make the Center more physically secure as 
well as less vulnerable to unauthorized electronic access. The need for tighter security 
measures was also supported by the fact that the Center is located adjacent to an Internal 
Revenue Service Center that has been a target for bomb threats. 

1997 Audit of Security Controls at the Hines Benefits Delivery Center 

The audit found that security controls needed to be strengthened to ensure that Center 
operations were adequately protected. The review found that the Center’s security efforts 
could be better focused by establishing a proactive security program. Also, the Center 
needed to develop a current security risk assessment that adequately identified the 
criticality and sensitivity of the data processed and maintained, and the vulnerabilities to 
which the systems are exposed. 

1998 Audit of Security Controls for the Integrated Data Communications Utility ilDCUI 

The audit found that security controls needed to be strengthened to ensure that IDCU 
operations were adequately protected. Key security improvements were needed to assure 
adequate physical security controls at major IDCU facility switch sites and better control 
of remote access to the IDCU. Maintaining appropriate security and continuity of IDCU 
operations is important because this network provides key data communications support 
to more than 500 VA facilities that are cormected to the IDCU as well as transmitting 
financial transactions and data associated with VA’s S48 billion budget. 
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1999 Consolidated Financial Statements (CFS> Audit 

Audit tests completed this year continue to demonstrate wide spread system security 
control weaknesses. We found that often, the needed improvements were well known 
within the security community such as installing and implementing patches, employing 
more secure configurations, and making use of more secure management procedures. 
Our security control testing found that: 

• Access controls and monitoring were ineffective at VBA . Penetration tests at VBA 
demonstrated that weaknesses allowed us to obtain privileged access from outside 
and inside VBA to significant computing resources without being detected. This 
access was obtained using relatively unsophisticated methods and exploiting 
configuration weaknesses. These weaknesses could have been mitigated or prevented 
by stronger passwords, installing corrective patches, better configurations, and use of 
more secure management practices. We recommended that VA strengthen its 
password policy and suggested that the Principal Deputy Assistant Secretary for 
Information and Technology take specific actions to implement, and then to verify the 
successful implementation of a revised minimum password policy by December 31, 
2000. 

• Significant weaknesses in automated data processing general controls also continued 
within VHA . For example, at one facility we determined that 3,860 users 
inappropriately had the ability to obtain one of the password files, and that 90 
accounts remained active despite the fact that the owners had not signed on in more 
than a year. 

We have reported system security control weaknesses in our 1997 and 1998 CFS audits 
and made recommendations for VA to implement a comprehensive security program that 
would improve access controls. During 1999, VA had proposed and taken a number of 
corrective actions that could result in an effective security program with strengthened 
access controls. However, these efforts are just beginning to be implemented and have 
not had time to permeate the organization. With the apparent resolution of significant 
Year 2000 concerns within VA, the Department can now better focus its efforts on 
information security. 

This concludes my testimony. 1 would be pleased to answer any questions you and the 
committee may have. 
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statement by 
Harold F. Gracey, Jr. 

Principal Deputy Assistant Secretary for Information and Technology 
Department of Veterans Affairs 
Before the 

Subcommittee on Oversight and Investigations 
Committee on Veterans’ Affairs 
U.S. House of Representatives 
May 11, 2000 


Good morning, Mr. Chairman and members of the Subcommittee. I am pleased 
to testify before you today to discuss the Department of Veterans Affairs' 
Information Technology programs. 

On July 1, 1998, the Office of the Assistant Secretary for Information and 
Technology was established to focus on information and technology 
management. The Assistant Secretary position was created to be the Chief 
Information Officer (CIO) for the Department of Veterans Affairs. The CIO has a 
“seat at the table,” of VA senior management officials as intended by the 
Information Technology Management Reform Act, also known as the Clinger- 
Cohen Act (Public Law 104-106). The CIO advises the Secretary on the most 
critical information technology (IT) issues facing VA. The decision to establish a 
separate CIO position provided VA's information technology function with 
visibility and authority, and at the same time, established clear responsibility and 
accountability. 

I was appointed Principal Deputy Assistant Secretary for Information and 
Technology and acting head of the newly established Office of the Assistant 
Secretary for Information and Technology in June 1998. 
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Upon assuming the role of Acting CIO, I focused on two time sensitive crises the 
Department was facing - - readiness for Year 2000, and the replacement strategy 
for the Integrated Data Communications Utility (IDCU). 

My first priority was the challenge of the Year 2000. We have worked very hard 
in bringing VA's information technology systems into compliance for service to 
veterans in the Year 2000 and beyond. VA successfully transitioned into the 
Year 2000 without any significant Year 2000 incidents. VA remained on a 
"Green” operational status throughout the date rollover period and we continue to 
operate on a "Green” status without any Year 2000 interruptions. VA benefits 
were paid on time and our health care facilities remained open throughout the 
date rollover. VA also completed "health checks” at our Headquarters offices, 

172 medical centers, 600+ outpatient clinics, 58 regional offices, all national 
cemeteries and data processing centers. These “health checks” found that these 
facilities were operational and no significant Year 2000 problems were 
encountered. This successful transition into the Year 2000 reflects the hard work 
performed nationwide by VA employees to make VA's systems Year 2000 
compliant. 

As my second priority, I established an IDCU Replacement Team last year, 
consisting of representatives from the major VA organizational elements, to 
develop a replacement wide area network (WAN) to accommodate department- 
wide data communications needs info the next century. The Team identified 
Sprint Corporation under the General Services Administration's (GSA) Federal 
Technology Services 2001 (FTS2001) contract as the vendor of choice to provide 
data and voice communications services to the Department. 

Early on, I met with the General Accounting Office (GAO) and the Office of 
Management and Budget (0MB) to gain their perspective on how the 
Department might implement best practices. VA continues to meet with GAO 
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regularly to discuss their recommendations on our efforts to utilize IT as a tool to 
improve service to veterans. In addition, VA continues to work with 0MB by 
providing status and information on our significant IT initiatives. 

I'd like to share with you some of our major accomplishments and the progress 
we have made in the last year. 

INFORMATION TECHNOLOGY STRATEGIC PLAN 

The VA Information Technology (IT) Strategic Plan was published in April 1999 
and is being updated this month. It is the result of an extended effort by a 
department-wide team and sets a framework for our IT decision-making in VA. 
The vision and goals defined in the IT Strategic Plan will enable the Department 
to address cross-cutting opportunities and continue to make strides toward 
achieving One VA. One VA means presenting an increasingly single face to the 
veteran. Traditionally VA has used information technology to automate 
processes within lines of business, but not across them. One VA for IT means all 
business lines will look outside themselves, to share and exchange information 
as they have not done in the past and to integrate information systems across 
business lines to improve overall service to VA's common customer, our nation's 
veterans and their families. 

VA IT ARCHITECTURE 


In May 1999, VA published a department-wide technical architecture. The 
architecture lays out the technical services (reference models) and the technical 
standards that are to be followed in the design or acquisition of new information 
systems. It addresses interoperability and compatibility of our systems. The 
architecture conforms to OMB's May 1997 guidance on what an agency 
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architecture must comprise at the technology layer. In addition, it is used as a 
criterion in the VA capital investment planning process. 

VA CAPITAL PLANNING 


In response to the Government Performance and Results Act (GPRA) (Public 
Law 103-62) and Clinger-Cohen, VA instituted a capital planning process in the 
fiscal year 1999 budget cycle. It is a three-tier process (business, technical, 
strategic) that ultimately integrates, at the strategic level, a review of all types of 
capital asset proposals, establishing a businesslike framework for management, 
accountability, and budgets that evaluate the risks and benefits of major 
investments over their entire life cycle. 

The IT technical level of review is fully integrated with the Department's capital 
investment process with a focus on IT issues. IT evaluation criteria include 
mission improvement and service, IT performance, project management, 
customer acceptance, and risk. Cost and schedule are further evaluated on a 
quarterly basis, and in-process and post implementation performance reviews 
are also conducted. 

The process for IT begins with issuance of a joint Capital Call, a department-wide 
memorandum, signed by the VA Acting CIO and the VA Chief Financial Officer, 
requesting all types of capital investments, including information technology. The 
Capital Call results in the Capital Plan submitted to 0MB, which we talk about 
corresponding to the budget. The Administrations and Staff Offices submit 
structured applications/proposals for projects that meet capital investment 
criteria. IT projects are evaluated by a cross-organizational Investment Panel 
chartered by the VA CIO Council. The IT proposals are evaluated against each 
other for merit, using criteria and weights defined by the CIO Council. As a 
result, some projects may fail this review process despite their selection by their 
administration or staff office. The outcome is a numerical ranking of projects. 
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supporting analyses and recommendations submitted to the CIO Council for 
review and recommendation. The CIO Council determines which IT projects go 
forward for strategic review to the Department's Capital Investment Board, 
chaired by the Deputy Secretary for final decision. I am also a member of that 
department-level board - the VA Capital Investment Board (VAC IB). 

VA’s capital investment process will be further enhanced when we complete 
implementation of the Information Technology Investment Portfolio System (also 
known as l-TIPS) to track our IT investments. VA will extend the l-TIPS concept 
to track all other departmental capital investments as well. 

VA is striving to link its major IT planning and budgeting documents to have 
conformance among our budget and performance plan, our capital plan, our 
capital investment proposals, and our “Agency-Wide Summary on Obligations for 
Information Technology” (0MB Circular A-11 Exhibit 53) submitted to the Office 
of Management and Budget. 

DATA CENTER COLLOCATION 


A significant cost cutting plan VA intends to pursue this year is the consolidation 
of the 3 existing VA data centers. Previous plans to collocate were postponed in 
an effort to ensure that veteran payments continue without interruption up to and 
beyond January 1 , 2000. The FY2000 Appropriations Conference Report 
required VA to submit a report summarizing all cost/benefit studies regarding the 
consolidation. We are pursuing discussions to resolve questions arising from our 
report which was submitted March 9, 2000. 

VA TELECOMMUNICATIONS 


The Department of Veterans Affairs selected Sprint Corporation under the 
General Services Administration's Federal Technology Services 2001 contract as 
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the vendor of choice to provide voice and data communications services for the 
Department. The FTS2001 contract offers VA excellent pricing, the opportunity 
to better manage telecommunications services, and the ability to work with a 
company with an established reputation in the telecommunications community. 


VA INFORMATION SECURITY 


Information Security is also a key issue for VA, as it is for the government at 
large. In fact it is our next priority. Accordingly, in May 1999, a department-wide 
information Security Workgroup comprised of senior staff from each 
administration and staff office’s information security management function 
completed a comprehensive, Department Information Security Program 
Requirements and Budget Plan (ISP), which provides a comprehensive multi- 
year program plan and budget proposal. The plan calls for a total investment of 
about $85 million over a six-year period beginning in FY 2000. The ISP is 
intended to be the single project management reference point for all department- 
wide information security spending proposals, capital investment plans, budget 
representations, FMFIA material weakness remediation tasks, and Presidential 
Decision Directive 63 {PDD-63) critical infrastructure protection efforts. Eleven 
ISP initiatives comprise the concurrent actions necessary to manage the areas of 
greatest information security risk. 

ONE VA INITIATIVES 


Last, in the area of business process reengineering, the Department has held 
four regional and one Central Office One VA Conferences. The conferences 
brought together senior leadership, middle managers, first-line employees, union 
representatives, and Veterans Service Organization members to support the 
institutionalization of a true One VA culture. As a direct result of national One VA 
issues identified by participants at these conferences, Deputy Secretary Hershel 
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Gober has charged me, in consultation with the Department's CIO Council and 
business line managers, to develop a plan that includes milestones and 
estimated costs for achieving the type of integrated information system 
architecture necessary to support a) front-line employee access to needed 
information across VA; b) an accurate, consistent, and reliable integrated 
information system covering all veterans; c) a smart card for veterans; and 
d) consolidation of 1-800 telephone numbers. 


SUMMARY 


While much progress has been made, I realize much remains to be done. We 
are moving forward in a partnership with Sprint Corporation to conduct an orderly 
transition of data communications in a manner which will not disrupt service to 
the veteran. We need to continue strengthening the capital investment planning, 
making improvements to streamline the process while continuing to capture 
information needed to make informed investment decisions. We are now 
collectively moving forward to integrate VA's information technology initiatives 
into One VA systems that will support VA's business operations. We will ensure 
that we protect VA records either in electronic or paper form from unauthorized 
access or disclosure and we will establish the security necessary to provide our 
customers the assurance that their records and the information they provide to us 
is maintained as accurately and reliably as possible. The accuracy, security, and 
privacy of all VA records is one of VA's most important objectives as we move 
forward in doing business electronically. I will not be satisfied until we have in 
place systems that support the provision of seamless, world class service to 
every veteran who comes to VA. 

Mr. Chairman, that concludes my statement, I and my colleagues will be happy 
to respond to any questions you may have. 

O 



